From owner-freebsd-stable Thu Nov 21 1: 8:17 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0875A37B401 for ; Thu, 21 Nov 2002 01:08:16 -0800 (PST) Received: from gvr.gvr.org (gvr.gvr.org [212.61.40.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 592E443E42 for ; Thu, 21 Nov 2002 01:08:14 -0800 (PST) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id CEF8E2A2; Thu, 21 Nov 2002 10:08:11 +0100 (CET) Date: Thu, 21 Nov 2002 10:08:11 +0100 From: Guido van Rooij To: Helge Oldach Cc: "Patrick M. Hausen" , archie@dellroad.org, dkelly@HiWAAY.net, sullrich@CRE8.COM, greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS Message-ID: <20021121090811.GB96801@gvr.gvr.org> References: <200211200820.gAK8Ki6G041336@hugo10.ka.punkt.de> <200211210837.gAL8b4Se080747@sep.oldach.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200211210837.gAL8b4Se080747@sep.oldach.net> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Helge! On Thu, Nov 21, 2002 at 09:37:04AM +0100, Helge Oldach wrote: > The core problem is that we have a single routing table only, and hence > we have a mix of internal and public routes. Consequently we will see > both internal and external packets on interfaces. Therefore I don't see > the need for an extra interface. I regard the gif set-up as confusion > already, because this interface isn't used at all. It is used. It is currently the only way to b able to filter on the unencrypted packets. > > Specifically, a beast such as esp0 would only work for ESP tunnel > mode, but again add confusion for ESP transport mode and AH. (What IP > addresses do you assign the esp0 interface in transport mode?) > > Finally, such an implementation would be quite unique in the industry. I > would prefer to keep reference to existing implementations. > No it woudln't. See OpenBSD and NetBSD. It seems you think this is a routing issue, but its not, It is a packet filtering issue. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message