From owner-freebsd-net Mon Jan 14 10: 5:55 2002 Delivered-To: freebsd-net@freebsd.org Received: from smtpzilla1.xs4all.nl (smtpzilla1.xs4all.nl [194.109.127.137]) by hub.freebsd.org (Postfix) with ESMTP id 7AD9037B405 for ; Mon, 14 Jan 2002 10:05:52 -0800 (PST) Received: from grand.canyon.xs4all.nl (canyon.xs4all.nl [194.109.195.185]) by smtpzilla1.xs4all.nl (8.12.0/8.12.0) with ESMTP id g0EI5oiY024639; Mon, 14 Jan 2002 19:05:50 +0100 (CET) Received: by grand.canyon.xs4all.nl (Postfix, from userid 1000) id F183C5FA9; Mon, 14 Jan 2002 19:05:49 +0100 (CET) Received: from meandrix.tunix.nl (localhost [127.0.0.1]) by grand.canyon.xs4all.nl (Postfix) with ESMTP id B8DF75DB2; Mon, 14 Jan 2002 19:05:49 +0100 (CET) Date: Mon, 14 Jan 2002 19:05:52 +0100 Subject: Re: Filtering packets received through an ipsec tunnel Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v480) Cc: Lars Eggert To: net@freebsd.org From: Rene de Vries In-Reply-To: <3C431170.5080506@isi.edu> Message-Id: <58FB1C50-0919-11D6-AC08-00039357FA7A@canyon.xs4all.nl> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.480) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Gif tunnels are not the samething as ipsec tunnels. For one some ipsec implementations simply won't work with gif tunnels. Furthermore the administrative overhead when there are more than a few tunnels is enormous. It is much simpler to have racoon do some (a lot) of the work for you. Say, for example, you have about 200(1) tunnel partners, of which only about 30 are connected at the same time. This would mean 200 extra interfaces, a totally unmanagable situation. Whereas the ip-filter rules could be very simple/generic for all of them. The only configuration issue you will have to face is generating the SPDs and filling racoon with the correct keys. But this can't be helped. 1) These number are an example, not reallife... On Monday, January 14, 2002, at 06:12 , Lars Eggert wrote: > Blaz Zupan wrote: > >>> And before you suggest that the gif tunnels seen in all those IPSEC >>> examples actually have anything to do with IPSEC tunnels, please try >>> it and look again. It's completely uninvolved other than introducing >>> a route as a side-effect. >>> >> I'm not sure what you mean here, but shouldn't the following work: we >> create a gif tunnel between the two endpoints and just encrypt the gif >> traffic itself. >> Then we can filter the packets that go in and out of the gif interface. > > He was referring to using gif tunnels together with IPsec tunnel mode > SAs (are you?) This "works" but precisely because of the side effect > that Louis mentioned. A clean solution would user *either* IPIP tunnels > (i.e. gif devices) and IPsec transport mode *or* IPsec tunnel mode (and > no gifs). See the KAME IMPLEMENTATION file for details, or > draft-touch-ipsec-vpn-02.txt (shameless plug :-). -- Rene de Vries To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message