[fbsd] Re: Routing IPSEC packets?
Jeremie Le Hen
jeremie at le-hen.org
Mon Aug 21 16:27:54 UTC 2006
Hi Andrew,
On Fri, Aug 18, 2006 at 11:58:08PM +0400, Andrew Pantyukhin wrote:
> I'm actually trying to marry FreeBSD to PIX. The latter only
> supports IPSec (tunnel/transport). I'm still struggling with
> firewalls on both sides, but tunnel-tunnel works right now.
> I'm a bit puzzled because the howto I see
> (http://www.bshell.com/projects/freebsd_pix/) uses gif(4)
> with tunnel-mode IPSec. Either something is wrong with
> the way things work or the author doesn't understand what
> he's doing (or both). The bitter thing is that we have a
> similar setup in our handbook:
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
The handbook is known to be wrong for this. ISTR there have been some
mails around there about the incorrectness of the latter page.
See the following URL:
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=236856+0+archive/2001/freebsd-net/20010506.freebsd-net
And this recent thread that shows how much the documentation is
deceiving:
http://lists.freebsd.org/pipermail/freebsd-net/2005-December/009322.html
I have already been misleaded by the IPSec tunnel mode + gif(4) setup,
and it happens that though everything appears to work well, traffic
won't go through your gif(4) interface, which is useless (you can check
this with tcpdump(8)). I think you can simply try to remove it in this
case, or set it down, and your tunnel should continue to work correctly.
This has already been reported in this thread:
http://lists.freebsd.org/pipermail/freebsd-security/2003-October/001135.html
If you succeed to you both IPSec tunneling mode and gif(4), you will have
a double-encapsulation. Basically, you will get something like this:
[ IP ] [ IP ] [ IPSec ] [ IP ]
As is has indeed already been stated in this thread, IPSec tunnel mode
shunts the routing table. However the new enc(4) interface that Andrew
Thompson has imported from OpenBSD allows to filter IPSec traffic in a
more natural way. Maybe it also brings the ability to route IPSec
tunnels, or even bridge them with if_bridge(4). I Cc'ed him for clarification.
I hope this mail will serve future generations :-).
Best regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-net
mailing list