From owner-freebsd-security Fri Aug 2 10:27:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BC6737B400 for ; Fri, 2 Aug 2002 10:27:33 -0700 (PDT) Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E4A743E75 for ; Fri, 2 Aug 2002 10:27:32 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020802172732.GPWM22139.rwcrmhc52.attbi.com@blossom.cjclark.org>; Fri, 2 Aug 2002 17:27:32 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g72HRVJK007077; Fri, 2 Aug 2002 10:27:31 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g72HRT7p007076; Fri, 2 Aug 2002 10:27:29 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Fri, 2 Aug 2002 10:27:29 -0700 From: "Crist J. Clark" To: Eric Masson Cc: Matthew Grooms , dlavigne6@cogeco.ca, Mailing List FreeBSD Security Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ...] Message-ID: <20020802172729.GA6880@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020730074813.GF89241@blossom.cjclark.org> <86znw5r9h3.fsf_-_@notbsdems.nantes.kisoft-services.com> <86k7n9qv08.fsf@notbsdems.nantes.kisoft-services.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86k7n9qv08.fsf@notbsdems.nantes.kisoft-services.com> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Aug 02, 2002 at 02:56:39PM +0200, Eric Masson wrote: > >>>>> "Emss" == Eric Masson writes: > >>>>> "Crist" == Crist J Clark writes: > > Follow-up to myself and -security re-added. > > Crist> I've never figured out why people use gif(4) interfaces when ESP > Crist> does the tunneling for you. > > Emss> Maybe because I've never succeeded establishing a esp tunnel > Emss> beetween two lans without gif(4). > > I've tried without gif tunnel (erroneous rc.conf modification) and it > works, maybe murphy's law had prevented this before ;) > > There's one question still remaining : > - if there are more than one esp tunnel configured, how is traffic > routed ? > > Example : > - One esp tunnel from 192.168.0.1 to 10.93.0.1 > - One esp tunnel from 192.168.0.1 to 10.44.0.1 > > With only one tunnel configured, netstat -rn on the security gateway > doesn't show any routes to the remote networks nor host. > > With a second tunnel added, are there any additionnal configuration > steps or will the kernel do the routing automagically ? It's pretty much automagically done by way of the SPD entry. Any packet that matches the source and destination in the SPD gets put through the appropriate tunnel with the specified end points. It's not the same as the regular routing table and will not show up in 'netstat -rn.' -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message