Date: Mon, 5 Aug 2002 10:41:56 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Eric Masson <e-masson@kisoft-services.com> Cc: Matthew Grooms <mgrooms@seton.org>, dlavigne6@cogeco.ca, Mailing List FreeBSD Security <freebsd-security@FreeBSD.ORG> Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ...] Message-ID: <20020805174156.GA62935@blossom.cjclark.org> In-Reply-To: <86wur5o0r4.fsf@notbsdems.nantes.kisoft-services.com> References: <sd455602.090@aus-gwia.aus.dcnhs.org> <20020730074813.GF89241@blossom.cjclark.org> <86znw5r9h3.fsf_-_@notbsdems.nantes.kisoft-services.com> <86k7n9qv08.fsf@notbsdems.nantes.kisoft-services.com> <20020802172729.GA6880@blossom.cjclark.org> <86wur5o0r4.fsf@notbsdems.nantes.kisoft-services.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 05, 2002 at 04:09:51PM +0200, Eric Masson wrote:
> >>>>> "Crist" == Crist J Clark <crist.clark@attbi.com> writes:
>
> Crist> It's pretty much automagically done by way of the SPD entry. Any
> Crist> packet that matches the source and destination in the SPD gets
> Crist> put through the appropriate tunnel with the specified end
> Crist> points.
>
> Ok, I do understand now.
>
> Crist> It's not the same as the regular routing table and will not show
> Crist> up in 'netstat -rn.'
>
> It would be nice to have netstat -r show these routes with a new flag
> (like T for example), tunnelled end address as destination, tunneled
> origin address as gateway, and interface bound to tunnel origin address
> as netif.
>
> Does this look interesting or is this plain dumb ?
Tunnelling is not the same as routing. The tunnelling actually has no
effect on routing. A packet going through the tunnel is encapsulated
and sent to a different destination. This is not like routing where we
don't touch the source or destination addresses and merely manipulate
where the packet is directed on the next hop. Once encapsulation is
done, routing is done normally.
Another place for confusion, what do you display for,
spdadd 10.10.10.0/24[any] 10.99.99.0/24[25] tcp
-P out ipsec esp/tunnel/10.10.11.1-10.99.98.1/require
Where not all traffic, but only some, goes through the tunnel. (Yes,
an odd use of tunnelling, but perfectly valid.)
I think trying to add IPsec tunnels to 'netstat -r' is not a good
idea. 'netstat -r' should show the routing table and nothing more.
I think a command that displays the SPD and live SAD entries in more
intuitive ways, possibly in a 'netstat -r'-like fashion would be very
useful, but it shouldn't actually be in 'netstat -r.'
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020805174156.GA62935>