Date: Sun, 11 Dec 2016 14:58:02 +0300 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: "Andrey V. Elsukov" <ae@FreeBSD.org> Cc: Eugene Grosbein <eugen@grosbein.net>, freebsd-net@FreeBSD.org Subject: Re: [RFC/RFT] projects/ipsec Message-ID: <20161211115802.GD31311@zxy.spb.ru> In-Reply-To: <36fa749c-f284-1d96-704c-b7118a574dd0@FreeBSD.org> References: <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org> <584D18D1.8090400@grosbein.net> <36fa749c-f284-1d96-704c-b7118a574dd0@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 11, 2016 at 02:33:43PM +0300, Andrey V. Elsukov wrote: > On 11.12.2016 12:13, Eugene Grosbein wrote: > > 11.12.2016 6:07, Andrey V. Elsukov пишет: > > > >> * use transport mode IPsec for forwarded IPv4 packets now unsupported. > >> This matches the IPv6 behavior, and since we can handle the replies, I > >> think it is useless. > > > > Does it include a case of packets going from LAN and forwarded into > > gif(4) tunnel > > connected to remote IPSEC gateway and encrypted with transport mode? > > > > That is, will this configuration break? > > No. An encapsulated by gif(4) packet is considered as own packet. The > described change is related to transport mode policies, that are match > forwarded packets, i.e. when source and destination addresses are not > our own. In this case we can't handle the returned packets. What difference with source packets? Whu you can handle sourced and can't handle returned packets?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161211115802.GD31311>