Date: Thu, 21 Nov 2002 10:08:11 +0100 From: Guido van Rooij <guido@gvr.org> To: Helge Oldach <freebsd-stable-21nov02@oldach.net> Cc: "Patrick M. Hausen" <hausen@punkt.de>, archie@dellroad.org, dkelly@HiWAAY.net, sullrich@CRE8.COM, greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS Message-ID: <20021121090811.GB96801@gvr.gvr.org> In-Reply-To: <200211210837.gAL8b4Se080747@sep.oldach.net> References: <200211200820.gAK8Ki6G041336@hugo10.ka.punkt.de> <200211210837.gAL8b4Se080747@sep.oldach.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Helge! On Thu, Nov 21, 2002 at 09:37:04AM +0100, Helge Oldach wrote: > The core problem is that we have a single routing table only, and hence > we have a mix of internal and public routes. Consequently we will see > both internal and external packets on interfaces. Therefore I don't see > the need for an extra interface. I regard the gif set-up as confusion > already, because this interface isn't used at all. It is used. It is currently the only way to b able to filter on the unencrypted packets. > > Specifically, a beast such as esp0 would only work for ESP tunnel > mode, but again add confusion for ESP transport mode and AH. (What IP > addresses do you assign the esp0 interface in transport mode?) > > Finally, such an implementation would be quite unique in the industry. I > would prefer to keep reference to existing implementations. > No it woudln't. See OpenBSD and NetBSD. It seems you think this is a routing issue, but its not, It is a packet filtering issue. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021121090811.GB96801>