From owner-freebsd-net@FreeBSD.ORG Fri Aug 18 11:34:11 2006 Return-Path: X-Original-To: net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31E0916A4E0; Fri, 18 Aug 2006 11:34:11 +0000 (UTC) (envelope-from regnauld@macbook.catpipe.net) Received: from macbook.catpipe.net (flow.catpipe.net [195.249.214.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 110B843D7D; Fri, 18 Aug 2006 11:33:49 +0000 (GMT) (envelope-from regnauld@macbook.catpipe.net) Received: by macbook.catpipe.net (Postfix, from userid 1001) id 7D46715B4D0; Fri, 18 Aug 2006 13:33:47 +0200 (CEST) Date: Fri, 18 Aug 2006 13:33:47 +0200 From: Phil Regnauld To: "Bjoern A. Zeeb" Message-ID: <20060818113347.GF29866@catpipe.net> References: <44E58E9E.1030401@FreeBSD.org> <44E58F8B.5@FreeBSD.org> <20060818111809.H46402@maildrop.int.zabbadoz.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060818111809.H46402@maildrop.int.zabbadoz.net> X-Operating-System: Darwin 8.7.1 i386 Organization: catpipe Systems ApS User-Agent: Mutt/1.5.11 Cc: Remko Lodder , net@FreeBSD.org Subject: Re: Routing IPSEC packets? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2006 11:34:11 -0000 Bjoern A. Zeeb (bzeeb-lists) writes: > > You do not "route" IPsec traffic. You define apropriate policies and > be done. You only need gif(4) if you really want to route and use a > link-state protocol. ... and want to do egress filtering, prioritization, and other things you can only really do for packets that travel in and out of an interface. The problem with the triangle home - pcolo - ocolo is that it doesn't scale. Hub-and-spoke is easier but then you need interfaces to route on.