Date: Tue, 30 Oct 2001 20:19:32 +0900 From: Shoichi Sakane <sakane@kame.net> To: tariq_rashid@lineone.net Cc: freebsd-security@freebsd.org Subject: Re: Message-ID: <20011030201932Y.sakane@kame.net> In-Reply-To: Your message of "Mon, 29 Oct 2001 16:23:55 %2B0000" <E15yFCd-0007ne-00@mk-smarthost-2.mail.uk.worldonline.com> References: <E15yFCd-0007ne-00@mk-smarthost-2.mail.uk.worldonline.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Now - the problem with this is that these "wide catching" spd also catch and encapsulate traffic from the localhost to the localhost, and also traffic from the localhost to the protected subnet. > > eg 10.8.0.1 (gw-A) -> 10.8.0.1 --------> fails (encapsulated) > eg 10.8.0.1 (gw-A) -> 10.8.0.5 --------> fails (encapsulated) > > .. resulting in a routing loop? the order of the policy rule is important. you should define the bypass policy for the local communication. how about the following policy order ? for example at gw-A, 10.8.0.0/16[any] 10.8.0.0/16[any] any out none 10.8.0.0/16[any] 10.8.0.0/16[any] any in none 10.8.0.0/16[any] 10.0.0.0/8[any] any out ipsec ... 10.0.0.0/8[any] 10.8.0.0/16[any] any in ipsec ... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011030201932Y.sakane>