From owner-freebsd-net  Mon Jan 14  9:12:44 2002
Delivered-To: freebsd-net@freebsd.org
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161])
	by hub.freebsd.org (Postfix) with ESMTP id 79DD537B41A
	for <freebsd-net@FreeBSD.ORG>; Mon, 14 Jan 2002 09:12:42 -0800 (PST)
Received: from isi.edu (zw6n8uwjt0nv7v5v@b.postel.org [128.9.112.66])
	by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id g0EHCGN19293;
	Mon, 14 Jan 2002 09:12:16 -0800 (PST)
Message-ID: <3C431170.5080506@isi.edu>
Date: Mon, 14 Jan 2002 09:12:16 -0800
From: Lars Eggert <larse@ISI.EDU>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.6) Gecko/20011203
X-Accept-Language: en, de
MIME-Version: 1.0
To: Blaz Zupan <blaz@si.FreeBSD.org>
Cc: "Louis A. Mamakos" <louie@TransSys.COM>, freebsd-net@FreeBSD.ORG
Subject: Re: Filtering packets received through an ipsec tunnel
References: <20020114173900.I2807-100000@titanic.medinet.si>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Blaz Zupan wrote:

>>And before you suggest that the gif tunnels seen in all those IPSEC
>>examples actually have anything to do with IPSEC tunnels, please try
>>it and look again.  It's completely uninvolved other than introducing
>>a route as a side-effect.
>>
> 
> I'm not sure what you mean here, but shouldn't the following work: we create a
> gif tunnel between the two endpoints and just encrypt the gif traffic itself.
> Then we can filter the packets that go in and out of the gif interface.

He was referring to using gif tunnels together with IPsec tunnel mode 
SAs (are you?) This "works" but precisely because of the side effect 
that Louis mentioned. A clean solution would user *either* IPIP tunnels 
(i.e. gif devices) and IPsec transport mode *or* IPsec tunnel mode (and 
no gifs). See the KAME IMPLEMENTATION file for details, or 
draft-touch-ipsec-vpn-02.txt (shameless plug :-).

Lars
-- 
Lars Eggert <larse@isi.edu>               Information Sciences Institute
http://www.isi.edu/larse/              University of Southern California


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message