From owner-freebsd-pf@FreeBSD.ORG Tue Oct 25 12:43:08 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB97516A41F for ; Tue, 25 Oct 2005 12:43:08 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from caine.easynet.fr (smarthost167.mail.easynet.fr [212.180.1.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D44E43D45 for ; Tue, 25 Oct 2005 12:43:08 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233] helo=smtp.zeninc.net) by caine.easynet.fr with esmtp (Exim 4.50) id 1EUO8x-0004uU-JU for freebsd-pf@freebsd.org; Tue, 25 Oct 2005 14:43:07 +0200 Received: from localhost.localdomain (spartacus.zen.inc [192.168.1.20]) by smtp.zeninc.net (smtpd) with ESMTP id 7A71E3F17 for ; Tue, 25 Oct 2005 14:43:01 +0200 (CEST) Received: by localhost.localdomain (Postfix, from userid 1000) id 55AE685609; Tue, 25 Oct 2005 14:43:01 +0200 (CEST) Date: Tue, 25 Oct 2005 14:43:01 +0200 From: VANHULLEBUS Yvan To: freebsd-pf@freebsd.org Message-ID: <20051025124301.GA2824@zeninc.net> References: <20051025095745.GA2581@zeninc.net> <20051025120539.GA2761@zeninc.net> <861x29bx9m.fsf@srvbsdnanssv.interne.kisoft-services.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <861x29bx9m.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: All mail clients suck. This one just sucks less. Subject: Re: Filtering IPSec traffic ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 12:43:08 -0000 On Tue, Oct 25, 2005 at 02:23:49PM +0200, Eric Masson wrote: > VANHULLEBUS Yvan writes: > > Hi Yvan, Hi Eric :-) > > That's the problem: enc0 doesn't seems to exists, at least on my > > FreeBSD6 gate (perhaps I missed something in the configuration, or > > perhaps this is not a "real" interface ?) !!! > > The enc(4) interface doesn't exist in FreeBSD. Yep, unfortunately... > Atm, I use gif tunnels and transport mode beetween gateways, so I'm able > to filter on gifs. The other main advantage in my case is that routing > is explicit (no SPD inspection to check how packets are treated by the > stack) And the main problem of using gif interfaces seems to be a gif + IPSec + filtering + forwarding problem for (at least) big TCP sessions (see the thread on freebsd-net). I'll try to do some tests with gif interfaces to see the advantages and drawbacks, but this "bug" described in the gif(4) man page seems to be a big drawback for me (I'm quite always using Tunnel mode for net-2-net IPSec tunnels): "The gif device may not interoperate with peers which are based on different specifications, and are picky about outer header fields. For example, you cannot usually use gif to talk with IPsec devices that use IPsec tunnel mode." Yvan.