From owner-freebsd-net@freebsd.org Sun Dec 11 11:34:20 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0CA4BC72121 for ; Sun, 11 Dec 2016 11:34:20 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from butcher-nb.yandex.net (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) by mx1.freebsd.org (Postfix) with ESMTP id 4355E1099; Sun, 11 Dec 2016 11:34:19 +0000 (UTC) (envelope-from ae@FreeBSD.org) Subject: Re: [RFC/RFT] projects/ipsec To: Eugene Grosbein , freebsd-net@FreeBSD.org References: <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org> <584D18D1.8090400@grosbein.net> From: "Andrey V. Elsukov" Message-ID: <36fa749c-f284-1d96-704c-b7118a574dd0@FreeBSD.org> Date: Sun, 11 Dec 2016 14:33:43 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <584D18D1.8090400@grosbein.net> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="AbDHjIgxxd6SerGnmaXIOHU7GJJe0v8DR" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2016 11:34:20 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --AbDHjIgxxd6SerGnmaXIOHU7GJJe0v8DR Content-Type: multipart/mixed; boundary="HRXvULsnAqHhvVG8SIp2hBFjetsJDFlbj"; protected-headers="v1" From: "Andrey V. Elsukov" To: Eugene Grosbein , freebsd-net@FreeBSD.org Message-ID: <36fa749c-f284-1d96-704c-b7118a574dd0@FreeBSD.org> Subject: Re: [RFC/RFT] projects/ipsec References: <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org> <584D18D1.8090400@grosbein.net> In-Reply-To: <584D18D1.8090400@grosbein.net> --HRXvULsnAqHhvVG8SIp2hBFjetsJDFlbj Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11.12.2016 12:13, Eugene Grosbein wrote: > 11.12.2016 6:07, Andrey V. Elsukov =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >=20 >> * use transport mode IPsec for forwarded IPv4 packets now unsupported.= >> This matches the IPv6 behavior, and since we can handle the replies, I= >> think it is useless. >=20 > Does it include a case of packets going from LAN and forwarded into > gif(4) tunnel > connected to remote IPSEC gateway and encrypted with transport mode? >=20 > That is, will this configuration break? No. An encapsulated by gif(4) packet is considered as own packet. The described change is related to transport mode policies, that are match forwarded packets, i.e. when source and destination addresses are not our own. In this case we can't handle the returned packets. --=20 WBR, Andrey V. Elsukov --HRXvULsnAqHhvVG8SIp2hBFjetsJDFlbj-- --AbDHjIgxxd6SerGnmaXIOHU7GJJe0v8DR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEsBAEBCAAWBQJYTTmXDxxhZUBmcmVlYnNkLm9yZwAKCRABxeoEEMihejlKB/91 4n77xTT77u8yX4QEr9g8mhnb/4RnAyowFYKE2S8c93eK4D9GIac55y21Im+MQws5 zBvfW9vTcJJ5oOZscgYnzMd3uomPxxeDY5IBrQlj0bIW6fobt8/1wDfvZ3edZUx4 f9oLBQaPUIptdOjDEFVponFMrJw2338xULkn0fEpPeS1hwkda/Tn6CHjCLWC00dh 5gUlCfCB6ppdcPWmsXwAzK6E7r3Kl0secwipdyJlYGMZAkGb26g3NTRP0buqdkNp TbNkJeq769diuecDaCKilQCQHWhExsIrj9sBMtz4Ka4Ad2QxzB6Xgxl4mell33WJ UHJc+8J1YKaD1GqlLwBG =4oOc -----END PGP SIGNATURE----- --AbDHjIgxxd6SerGnmaXIOHU7GJJe0v8DR--