Date: Mon, 21 Aug 2006 18:28:30 +0200 From: Jeremie Le Hen <jeremie@le-hen.org> To: Andrew Pantyukhin <infofarmer@FreeBSD.org> Cc: remko@freebsd.org, thompsa@FreeBSD.org, net@freebsd.org Subject: Re: [fbsd] Re: Routing IPSEC packets? Message-ID: <20060821162830.GA58048@obiwan.tataz.chchile.org> In-Reply-To: <cb5206420608181258w3c845f93w589525e4c7293816@mail.gmail.com> References: <44E58E9E.1030401@FreeBSD.org> <44E5F19E.9070600@isi.edu> <cb5206420608181236h34c0b85fwffc93bdd6c6979f4@mail.gmail.com> <44E619F7.7030300@isi.edu> <cb5206420608181258w3c845f93w589525e4c7293816@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Andrew, On Fri, Aug 18, 2006 at 11:58:08PM +0400, Andrew Pantyukhin wrote: > I'm actually trying to marry FreeBSD to PIX. The latter only > supports IPSec (tunnel/transport). I'm still struggling with > firewalls on both sides, but tunnel-tunnel works right now. > I'm a bit puzzled because the howto I see > (http://www.bshell.com/projects/freebsd_pix/) uses gif(4) > with tunnel-mode IPSec. Either something is wrong with > the way things work or the author doesn't understand what > he's doing (or both). The bitter thing is that we have a > similar setup in our handbook: > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html The handbook is known to be wrong for this. ISTR there have been some mails around there about the incorrectness of the latter page. See the following URL: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=236856+0+archive/2001/freebsd-net/20010506.freebsd-net And this recent thread that shows how much the documentation is deceiving: http://lists.freebsd.org/pipermail/freebsd-net/2005-December/009322.html I have already been misleaded by the IPSec tunnel mode + gif(4) setup, and it happens that though everything appears to work well, traffic won't go through your gif(4) interface, which is useless (you can check this with tcpdump(8)). I think you can simply try to remove it in this case, or set it down, and your tunnel should continue to work correctly. This has already been reported in this thread: http://lists.freebsd.org/pipermail/freebsd-security/2003-October/001135.html If you succeed to you both IPSec tunneling mode and gif(4), you will have a double-encapsulation. Basically, you will get something like this: [ IP ] [ IP ] [ IPSec ] [ IP ] As is has indeed already been stated in this thread, IPSec tunnel mode shunts the routing table. However the new enc(4) interface that Andrew Thompson has imported from OpenBSD allows to filter IPSec traffic in a more natural way. Maybe it also brings the ability to route IPSec tunnels, or even bridge them with if_bridge(4). I Cc'ed him for clarification. I hope this mail will serve future generations :-). Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060821162830.GA58048>