From owner-freebsd-net@FreeBSD.ORG Mon Aug 21 16:27:54 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BB3D16A4DA; Mon, 21 Aug 2006 16:27:54 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70DEE43D4C; Mon, 21 Aug 2006 16:27:53 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp5-g19.free.fr (Postfix) with ESMTP id 7C263260AA; Mon, 21 Aug 2006 18:27:52 +0200 (CEST) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 754AE9C323; Mon, 21 Aug 2006 16:28:30 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id 39F0F405B; Mon, 21 Aug 2006 18:28:30 +0200 (CEST) Date: Mon, 21 Aug 2006 18:28:30 +0200 From: Jeremie Le Hen To: Andrew Pantyukhin Message-ID: <20060821162830.GA58048@obiwan.tataz.chchile.org> References: <44E58E9E.1030401@FreeBSD.org> <44E5F19E.9070600@isi.edu> <44E619F7.7030300@isi.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.12-2006-07-14 Cc: remko@freebsd.org, thompsa@FreeBSD.org, net@freebsd.org Subject: Re: [fbsd] Re: Routing IPSEC packets? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 16:27:54 -0000 Hi Andrew, On Fri, Aug 18, 2006 at 11:58:08PM +0400, Andrew Pantyukhin wrote: > I'm actually trying to marry FreeBSD to PIX. The latter only > supports IPSec (tunnel/transport). I'm still struggling with > firewalls on both sides, but tunnel-tunnel works right now. > I'm a bit puzzled because the howto I see > (http://www.bshell.com/projects/freebsd_pix/) uses gif(4) > with tunnel-mode IPSec. Either something is wrong with > the way things work or the author doesn't understand what > he's doing (or both). The bitter thing is that we have a > similar setup in our handbook: > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html The handbook is known to be wrong for this. ISTR there have been some mails around there about the incorrectness of the latter page. See the following URL: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=236856+0+archive/2001/freebsd-net/20010506.freebsd-net And this recent thread that shows how much the documentation is deceiving: http://lists.freebsd.org/pipermail/freebsd-net/2005-December/009322.html I have already been misleaded by the IPSec tunnel mode + gif(4) setup, and it happens that though everything appears to work well, traffic won't go through your gif(4) interface, which is useless (you can check this with tcpdump(8)). I think you can simply try to remove it in this case, or set it down, and your tunnel should continue to work correctly. This has already been reported in this thread: http://lists.freebsd.org/pipermail/freebsd-security/2003-October/001135.html If you succeed to you both IPSec tunneling mode and gif(4), you will have a double-encapsulation. Basically, you will get something like this: [ IP ] [ IP ] [ IPSec ] [ IP ] As is has indeed already been stated in this thread, IPSec tunnel mode shunts the routing table. However the new enc(4) interface that Andrew Thompson has imported from OpenBSD allows to filter IPSec traffic in a more natural way. Maybe it also brings the ability to route IPSec tunnels, or even bridge them with if_bridge(4). I Cc'ed him for clarification. I hope this mail will serve future generations :-). Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >