Date: Mon, 30 May 2016 14:26:54 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Patrick Lamaiziere <patfbsd@davenulle.org>, freebsd-net@freebsd.org Subject: Re: net.inet.ip.fastforwarding and ipsec ? Message-ID: <574BEB3E.8080008@grosbein.net> In-Reply-To: <20160530092119.50b799bf@mr185083> References: <20160530092119.50b799bf@mr185083>
next in thread | previous in thread | raw e-mail | index | archive | help
30.05.2016 14:21, Patrick Lamaiziere пишет: > Hello, > > Documentation states that setting net.inet.ip.fastforwarding on a > router breaks ipsec. But it's not clear to me "where" ipsec is broken. > > Is it ipsec broken to (or from) the router, but ipsec between differents > hosts will work as expected. > > Or is it broken for all the ipsec traffic passing through the > router ? > > Thanks regards, Fastforwarded traffic is passed without any IPSEC processing, so it gets no encryption/decryption. Afaik, sysctl net.inet.ip.fastforwarding was removed from recent FreeBSD code recently and traffic that can be fastforwarded is fastforwarded automagically and traffic that cannot (f.e. IPSEC traffic) goes through full processing. So, the problem you mention should be eliminated.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?574BEB3E.8080008>