From owner-freebsd-net@FreeBSD.ORG Mon Dec 8 21:05:06 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C202F1065672 for ; Mon, 8 Dec 2008 21:05:06 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 7A7DC8FC20 for ; Mon, 8 Dec 2008 21:05:06 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 82B4C41C64C; Mon, 8 Dec 2008 22:05:05 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id HcWUZ1XRNaDJ; Mon, 8 Dec 2008 22:05:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 1C78941C65E; Mon, 8 Dec 2008 22:05:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 564B24448DD; Mon, 8 Dec 2008 21:02:00 +0000 (UTC) Date: Mon, 8 Dec 2008 21:02:00 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Frank Behrens In-Reply-To: <200812031220.mB3CK204015947@post.behrens.de> Message-ID: <20081208205426.V80401@maildrop.int.zabbadoz.net> References: <200811280653.mAS6r1P3014050@post.behrens.de> <200812031220.mB3CK204015947@post.behrens.de> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: Problem with new source address selection X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2008 21:05:06 -0000 On Wed, 3 Dec 2008, Frank Behrens wrote: Hi, > As I mentioned earlier I believe the main problem is IPSEC itself, > where we don't have an interface for tunneled connections. So I made > a workaround with a dummy loopback device. So I have a question to > the network specialists: Is there no other solution? Am I the only > stupid man, who wants to tunnel a subnet with private address range > via IPSEC? No, you aren't. Let me try to explain a bit further why I don't think it's an IPsec problem (at least not in first place). Asume you'd not run IPsec but communicate with the people directly (with valid IPs). Instead of having policies to control the traffic you are using simple IP filters on each side. So now in your network topology, with your setup, with the destination not being on a directly connected network, what would source address selection pick as outgoing IP (obviously w/o the hack with the route to the loopback)? Would that IP match your policy and thus would the peer permit it in its firewall? >> When it comes to the source address selection I am tempted to answer >> with: I am willing to still allow this in 7 to not break production >> setups but I am inclined to not change HEAD and keep the behavior >> dropped there. See patch below, which basically is what you had with >> the version check and the if (ia == NULL) check to not blindly overwrite >> if we had found anything closer (untested). > > Thanks, I will try this. I am still discussing things, or rather have the question queued with someone but we are all a bit busy atm. Did you try the patch and did it work for you as expected? If so I'll add it to my repo and the next jail patch. /bz -- Bjoern A. Zeeb The greatest risk is not taking one.