From owner-freebsd-net Mon Jan 14 9:12:44 2002 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id 79DD537B41A for ; Mon, 14 Jan 2002 09:12:42 -0800 (PST) Received: from isi.edu (zw6n8uwjt0nv7v5v@b.postel.org [128.9.112.66]) by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id g0EHCGN19293; Mon, 14 Jan 2002 09:12:16 -0800 (PST) Message-ID: <3C431170.5080506@isi.edu> Date: Mon, 14 Jan 2002 09:12:16 -0800 From: Lars Eggert User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.6) Gecko/20011203 X-Accept-Language: en, de MIME-Version: 1.0 To: Blaz Zupan Cc: "Louis A. Mamakos" , freebsd-net@FreeBSD.ORG Subject: Re: Filtering packets received through an ipsec tunnel References: <20020114173900.I2807-100000@titanic.medinet.si> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Blaz Zupan wrote: >>And before you suggest that the gif tunnels seen in all those IPSEC >>examples actually have anything to do with IPSEC tunnels, please try >>it and look again. It's completely uninvolved other than introducing >>a route as a side-effect. >> > > I'm not sure what you mean here, but shouldn't the following work: we create a > gif tunnel between the two endpoints and just encrypt the gif traffic itself. > Then we can filter the packets that go in and out of the gif interface. He was referring to using gif tunnels together with IPsec tunnel mode SAs (are you?) This "works" but precisely because of the side effect that Louis mentioned. A clean solution would user *either* IPIP tunnels (i.e. gif devices) and IPsec transport mode *or* IPsec tunnel mode (and no gifs). See the KAME IMPLEMENTATION file for details, or draft-touch-ipsec-vpn-02.txt (shameless plug :-). Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message