From owner-freebsd-net Fri Jan 3 6:21:51 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32FA237B401 for ; Fri, 3 Jan 2003 06:21:50 -0800 (PST) Received: from pop3.psconsult.nl (ps226.psconsult.nl [193.67.147.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5B4643EB2 for ; Fri, 3 Jan 2003 06:21:45 -0800 (PST) (envelope-from paul@pop3.psconsult.nl) Received: (from paul@localhost) by pop3.psconsult.nl (8.9.2/8.9.2) id PAA19477; Fri, 3 Jan 2003 15:21:41 +0100 (CET) (envelope-from paul) Date: Fri, 3 Jan 2003 15:21:40 +0100 From: Paul Schenkeveld To: Pekka Nikander Cc: freebsd-net@FreeBSD.ORG Subject: Re: IPsec / ipfw interaction in 4.7-STABLE: a proposed change Message-ID: <20030103152140.A19350@psconsult.nl> References: <3E144753.7020905@nomadiclab.com> <86k7hnz4hp.fsf@notbsdems.nantes.kisoft-services.com> <3E15604B.3040505@nomadiclab.com> <20030103122434.A16996@psconsult.nl> <3E1575BC.6000001@nomadiclab.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3E1575BC.6000001@nomadiclab.com>; from pekka.nikander@nomadiclab.com on Fri, Jan 03, 2003 at 01:36:28PM +0200 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jan 03, 2003 at 01:36:28PM +0200, Pekka Nikander wrote: > Paul Schenkeveld wrote: > > Because of the way IPsec and ipfw/ipfilter interact, I've > > moved to the following workaround: > ... > > Now I use transport mode instead of tunnel mode between the two > > external IP addresses: > ... > > Although this is not the solution to your problem, it shows a > > behaviour close to what you want I think. > > Thanks for the suggestion, but I'm afraid that it won't work > for me. Namely, my ISP has a NAT box between my home server > and the rest of the internet. Fortunately I do have a permanent > one-to-one mapping at the NAT box so that I can run ESP over it, > and with manually set up tunnel ESP it works. Not nice, but it > works. I'm afraid transport mode wouldn't work, but maybe > I should try it. If ESP in tunnel mode works for you I think ESP in transport mode should also work. Note that in my example, the transport mode is not configured between the internal addresses but between the external addresses of the two tunnel endpoints. I chose to only ESP gif packets (the ipencap keyword) but you could alse ESP all packets by replacing ipencap by any. > > I'd love to see ipsec evolve in a way that I don't need gif tunnels > > anymore so I like the enc0 interface concept but then I'd suggest > > that IPsec automagically create route entries from the spadd lines > > such that also outbound traffic passes enc0. > > I think that generating routing table entries from SPD is > probably a better idea than my original idea of doing > it the other way around. I think that it would be even possible > to do that in the user land, having some process listening to > a PFKEY socket and adding and deleting routes as it sees > tunnel mode SPD entries coming and going. I forgot to mention that this enc0 kind of interface should allow to specify the interface name per tunnel. If you have multiple tunnels (like I do) configuring ipfw/ipf would be a nightmare if the enc* interface is assigned randomly. > --Pekka Nikander -- Paul Schenkeveld, Consultant PSconsult ICT Services BV To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message