From owner-freebsd-security Tue Oct 30 3:19:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 842D337B401 for ; Tue, 30 Oct 2001 03:19:42 -0800 (PST) Received: from localhost ([3ffe:501:4819:1000:260:1dff:fe21:f766]) by mine.kame.net (8.11.1/3.7W) with ESMTP id f9UBY7H75901; Tue, 30 Oct 2001 20:34:07 +0900 (JST) To: tariq_rashid@lineone.net Cc: freebsd-security@freebsd.org Subject: Re: In-Reply-To: Your message of "Mon, 29 Oct 2001 16:23:55 +0000" References: X-Mailer: Cue version 0.6 (011026-1440/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20011030201932Y.sakane@kame.net> Date: Tue, 30 Oct 2001 20:19:32 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 16 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Now - the problem with this is that these "wide catching" spd also catch and encapsulate traffic from the localhost to the localhost, and also traffic from the localhost to the protected subnet. > > eg 10.8.0.1 (gw-A) -> 10.8.0.1 --------> fails (encapsulated) > eg 10.8.0.1 (gw-A) -> 10.8.0.5 --------> fails (encapsulated) > > .. resulting in a routing loop? the order of the policy rule is important. you should define the bypass policy for the local communication. how about the following policy order ? for example at gw-A, 10.8.0.0/16[any] 10.8.0.0/16[any] any out none 10.8.0.0/16[any] 10.8.0.0/16[any] any in none 10.8.0.0/16[any] 10.0.0.0/8[any] any out ipsec ... 10.0.0.0/8[any] 10.8.0.0/16[any] any in ipsec ... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message