From owner-freebsd-net@FreeBSD.ORG Mon Aug 21 21:06:55 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42E8A16A4E1 for ; Mon, 21 Aug 2006 21:06:55 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: from grunt14.ihug.co.nz (grunt14.ihug.co.nz [203.109.254.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3994F43D55 for ; Mon, 21 Aug 2006 21:06:53 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from 203-109-251-39.static.bliink.ihug.co.nz (heff.fud.org.nz) [203.109.251.39] by grunt14.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian)) id 1GFGyp-00065l-00; Tue, 22 Aug 2006 09:06:44 +1200 Received: by heff.fud.org.nz (Postfix, from userid 1001) id 3CF051CC23; Tue, 22 Aug 2006 09:06:43 +1200 (NZST) Date: Tue, 22 Aug 2006 09:06:43 +1200 From: Andrew Thompson To: Jeremie Le Hen Message-ID: <20060821210643.GE90346@heff.fud.org.nz> References: <44E58E9E.1030401@FreeBSD.org> <44E5F19E.9070600@isi.edu> <44E619F7.7030300@isi.edu> <20060821162830.GA58048@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060821162830.GA58048@obiwan.tataz.chchile.org> User-Agent: Mutt/1.5.11 Cc: remko@freebsd.org, Andrew Pantyukhin , net@freebsd.org Subject: Re: [fbsd] Re: Routing IPSEC packets? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 21:06:55 -0000 On Mon, Aug 21, 2006 at 06:28:30PM +0200, Jeremie Le Hen wrote: > Hi Andrew, > > On Fri, Aug 18, 2006 at 11:58:08PM +0400, Andrew Pantyukhin wrote: > > I'm actually trying to marry FreeBSD to PIX. The latter only > > supports IPSec (tunnel/transport). I'm still struggling with > > firewalls on both sides, but tunnel-tunnel works right now. > > I'm a bit puzzled because the howto I see > > (http://www.bshell.com/projects/freebsd_pix/) uses gif(4) > > with tunnel-mode IPSec. Either something is wrong with > > the way things work or the author doesn't understand what > > he's doing (or both). The bitter thing is that we have a > > similar setup in our handbook: > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html > > As is has indeed already been stated in this thread, IPSec tunnel mode > shunts the routing table. However the new enc(4) interface that Andrew > Thompson has imported from OpenBSD allows to filter IPSec traffic in a > more natural way. Maybe it also brings the ability to route IPSec > tunnels, or even bridge them with if_bridge(4). I Cc'ed him for clarification. At the moment enc(4) isnt really a real interface and while ipsec traffic seems to pass through it, it actually doesnt. The ipsec code just calls the enc code which does pfil/bpf with a preallocated enc0. Im sure this could be extended to allow routing and other tricks. Andrew