Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 Dec 2000 09:47:28 +0200
From:      "Ari Suutari" <ari@suutari.iki.fi>
To:        "Cy Schubert - ITSD Open Systems Group" <Cy.Schubert@uumail.gov.bc.ca>
Cc:        <freebsd-net@FreeBSD.ORG>, <freebsd-ipfw@FreeBSD.ORG>
Subject:   Re: IPFW & IPsec tunnel mode 
Message-ID:  <011801c068c6$c585d6b0$0e05a8c0@intranet.syncrontech.com>
References:  <200012161125.eBGBPkP05378@cwsys.cwsent.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi,

I read them. But I think that the final solution cannot be
'well we will have a hole like this always since it cannot be fixed'.

I wasn't saying that I want a network interface device like 'tun',
I just wanted something similar that could be used with
ipfw to more accurately specify filters.

why couldn't we have something like:
(imagine that a new option -n has been addded to setkey's spdadd)

setkey -c << ZZZ
spdadd xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy any -n my-tunnel-1 -P in ipsec
esp/tunnel/aaa-bbb/requre;
ZZZ

and then

(imagine that new keyword via-ipsec-tunnel has been added to ipfw)

ipfw pass ip from any to any via-ipsec-tunnel my-tunnel-1

I think that this would just be, well, GREAT!
It would allow very easy creation of VPNs with simple rules
and without any holes.

    Ari S.


----- Original Message -----
From: "Cy Schubert - ITSD Open Systems Group" <Cy.Schubert@uumail.gov.bc.ca>
To: "Ari Suutari" <ari@suutari.iki.fi>
Cc: <freebsd-net@FreeBSD.ORG>; <freebsd-ipfw@FreeBSD.ORG>
Sent: 16. joulukuuta 2000 13:24
Subject: Re: IPFW & IPsec tunnel mode


> In message <001301c0601e$34cab880$0e05a8c0@intranet.syncrontech.com>,
> "Ari Suut
> ari" writes:
> > However, pipsecd only supports fixed keys and Kame seems more
> > like the future way to go. Would it be possible to enhance ipfw & kame
> > to work together better in same way (like having some kind of name for
> > each tunnel and allowing ipfw rule to use them in similar way as
> > 'via' is used with interfaces) ?
>
> Check the -security archives.  This was just discussed about a month
> ago.  In that thread a KAME developer explained why it cannot be
> accomplished.
>
>
> Regards,                         Phone:  (250)387-8437
> Cy Schubert                        Fax:  (250)387-5766
> Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
> Open Systems Group, ITSD, ISTA
> Province of BC
>
>
>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?011801c068c6$c585d6b0$0e05a8c0>