From owner-freebsd-security  Tue Nov  7  8:21:52 2000
Delivered-To: freebsd-security@freebsd.org
Received: from rerun.lucentctc.com (rerun.lucentctc.com [199.93.237.2])
	by hub.freebsd.org (Postfix) with ESMTP id D7CEF37B4C5
	for <freebsd-security@freebsd.org>; Tue,  7 Nov 2000 08:21:48 -0800 (PST)
Received: by rerun.lucentctc.com with Internet Mail Service (5.5.2650.21)
	id <VATYCMV8>; Tue, 7 Nov 2000 11:21:47 -0500
Message-ID: <443F9E4C6D67D4118C9800A0C9DD99D7108136@rerun.lucentctc.com>
From: "Cambria, Mike" <mcambria@avaya.com>
To: "'freebsd-security@freebsd.org'" <freebsd-security@freebsd.org>
Subject: IPSec policy vs. next hop route
Date: Tue, 7 Nov 2000 11:21:40 -0500 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
	charset="iso-8859-1"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


When a packet arrives on a FreeBSD 4.1.1-Stable machine, what takes
precedence, the IP forwarding table's next hop or the IPSec policy?

I have an (ESP) tunnel defined between two FreeBSD machines.  Subnets
(addresses changed) 192.168.8.0/24 and 192.168.6.0/24 currently use a tunnel
setup over 10.1.1.1-10.1.1.2 (interface xl0).  Things are working.


192.168.6.0 --|-- 192.168.6.1 -- FreeBSD -- 10.1.1.1 -- | 
                                                   Left
|  -- 10.1.1.2 -- FreeBSD -- 192.168.8.1 -- | 192.168.8.0
 
Right

Shortly, I'll enable routing on the machines as well as other interfaces
that are not shown above (e.g. Subnet 172.16.6.1 on FreeBSD left, 172.16.8.0
on FreeBSD Right.)  Also not shown is the existing connectivity between
these Subnets.

When routing is enabled, *if* packets from 172.16.6.0 destined to
192.168.8.0 arrive at FreeBSD Left (since I have not tried to figure out how
to have route updates sent over the tunnel yet), what does FreeBSD do?  When
the packet arrives, does FreeBSD follow the next hop in the routing table to
192.168.8.0 or does the IPSec policy (use the tunnel for packets from
192.168.6.0 to 192.168.8.0) get used?

Thanks,
MikeC

Michael C. Cambria              Avaya Inc.
                                    Former Enterprise Networks Group of
Lucent Technologies
   Voice: (978) 287 - 2807      300 Baker Avenue
     Fax: (978) 287 - 2810      Concord, Massachusetts 01742
Internet: mcambria@avaya.com <mailto:mcambria@avaya.com> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message