Date: Tue, 7 Nov 2000 11:21:40 -0500 From: "Cambria, Mike" <mcambria@avaya.com> To: "'freebsd-security@freebsd.org'" <freebsd-security@freebsd.org> Subject: IPSec policy vs. next hop route Message-ID: <443F9E4C6D67D4118C9800A0C9DD99D7108136@rerun.lucentctc.com>
next in thread | raw e-mail | index | archive | help
When a packet arrives on a FreeBSD 4.1.1-Stable machine, what takes
precedence, the IP forwarding table's next hop or the IPSec policy?
I have an (ESP) tunnel defined between two FreeBSD machines. Subnets
(addresses changed) 192.168.8.0/24 and 192.168.6.0/24 currently use a tunnel
setup over 10.1.1.1-10.1.1.2 (interface xl0). Things are working.
192.168.6.0 --|-- 192.168.6.1 -- FreeBSD -- 10.1.1.1 -- |
Left
| -- 10.1.1.2 -- FreeBSD -- 192.168.8.1 -- | 192.168.8.0
Right
Shortly, I'll enable routing on the machines as well as other interfaces
that are not shown above (e.g. Subnet 172.16.6.1 on FreeBSD left, 172.16.8.0
on FreeBSD Right.) Also not shown is the existing connectivity between
these Subnets.
When routing is enabled, *if* packets from 172.16.6.0 destined to
192.168.8.0 arrive at FreeBSD Left (since I have not tried to figure out how
to have route updates sent over the tunnel yet), what does FreeBSD do? When
the packet arrives, does FreeBSD follow the next hop in the routing table to
192.168.8.0 or does the IPSec policy (use the tunnel for packets from
192.168.6.0 to 192.168.8.0) get used?
Thanks,
MikeC
Michael C. Cambria Avaya Inc.
Former Enterprise Networks Group of
Lucent Technologies
Voice: (978) 287 - 2807 300 Baker Avenue
Fax: (978) 287 - 2810 Concord, Massachusetts 01742
Internet: mcambria@avaya.com <mailto:mcambria@avaya.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?443F9E4C6D67D4118C9800A0C9DD99D7108136>