Date: Wed, 24 Jan 2007 15:09:32 +0100 From: Volker <volker@vwsoft.com> To: freebsd-stable@freebsd.org Subject: IPSEC clarifications Message-ID: <45B7689C.2060209@vwsoft.com>
next in thread | raw e-mail | index | archive | help
Hi folks, I'm wondering if someone please could clarify some IPSec specific questions to me? IPSEC_FILTERGIF: What are the consequences when enabling this if one does use IPSEC (or FAST_IPSEC) w/o any GIF tunnels? Are there any or does IPSEC_FILTERGIF only influence packet flow with gif devices? NOTES says: # Set IPSEC_FILTERGIF to force packets coming through a gif tunnel # to be processed by any configured packet filtering (ipfw, ipf). # The default is that packets coming from a tunnel are _not_ processed; # they are assumed trusted. But I've found signs in the archives even while not using gif tunnels with IPSec packets are getting filtered with FILTERGIF option. I might be wrong about this. device enc: I haven't been aware of the fact that we already have such a device. There's a man page (man 4 enc) but it's not in NOTES or GENERIC. Is the enc(4) man page correct and up to date? Shouldn't there at least be a note in NOTES somewhere around the options FAST_IPSEC line with a hint for enc(4)? Is just compiling device enc into the kernel, using options FAST_IPSEC and passing (or blocking) traffic on interface enc0 using pf rules all one has to do? IPSEC / FAST_IPSEC: What is the (say) 'official' recommended option to use? Where are the differences, what are the consequences while using one or the other? Will both do the same w/o any consequences for the admin? I'm currently in the process of checking for migration to racoon2 and need to re-check every IPSec related setup. Thanks, Volker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45B7689C.2060209>