Date: Sun, 11 Dec 2016 18:28:06 +0300 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: "Andrey V. Elsukov" <ae@FreeBSD.org> Cc: freebsd-net@FreeBSD.org, Eugene Grosbein <eugen@grosbein.net> Subject: Re: [RFC/RFT] projects/ipsec Message-ID: <20161211152806.GG31311@zxy.spb.ru> In-Reply-To: <a6d6de20-d41c-da4f-3ab4-1f384508f5b4@FreeBSD.org> References: <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org> <584D18D1.8090400@grosbein.net> <36fa749c-f284-1d96-704c-b7118a574dd0@FreeBSD.org> <20161211115802.GD31311@zxy.spb.ru> <4f8ad6e3-8028-8656-d286-caa391960632@FreeBSD.org> <20161211121515.GE31311@zxy.spb.ru> <dd5c2077-c897-a732-c35f-fc7620dd0a81@FreeBSD.org> <20161211125004.GF31311@zxy.spb.ru> <a6d6de20-d41c-da4f-3ab4-1f384508f5b4@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 11, 2016 at 03:53:49PM +0300, Andrey V. Elsukov wrote: > On 11.12.2016 15:50, Slawa Olhovchenkov wrote: > >> You can specify what you want, but this just will not work as you > >> expect. A router usually must not handle all TCP sessions that it > > > > You mean forward to IPSec system only packets with DST_IP = my_ip? > > I that case, why you talk only about not handled returned packets? > > Originated packets also don't address to me. > > I already described how it works and that you can configure what > you want. > > https://lists.freebsd.org/pipermail/freebsd-net/2016-December/046616.html This is don't clean about "we can't handle the returned packets". If we can handle originated packets (encryped by outbound police, yes?) what is problem handle returned packets by other outbound police and decrypt it?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161211152806.GG31311>