[fbsd] Re: Routing IPSEC packets?
Andrew Thompson
thompsa at freebsd.org
Mon Aug 21 21:06:55 UTC 2006
On Mon, Aug 21, 2006 at 06:28:30PM +0200, Jeremie Le Hen wrote:
> Hi Andrew,
>
> On Fri, Aug 18, 2006 at 11:58:08PM +0400, Andrew Pantyukhin wrote:
> > I'm actually trying to marry FreeBSD to PIX. The latter only
> > supports IPSec (tunnel/transport). I'm still struggling with
> > firewalls on both sides, but tunnel-tunnel works right now.
> > I'm a bit puzzled because the howto I see
> > (http://www.bshell.com/projects/freebsd_pix/) uses gif(4)
> > with tunnel-mode IPSec. Either something is wrong with
> > the way things work or the author doesn't understand what
> > he's doing (or both). The bitter thing is that we have a
> > similar setup in our handbook:
> > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
>
> As is has indeed already been stated in this thread, IPSec tunnel mode
> shunts the routing table. However the new enc(4) interface that Andrew
> Thompson has imported from OpenBSD allows to filter IPSec traffic in a
> more natural way. Maybe it also brings the ability to route IPSec
> tunnels, or even bridge them with if_bridge(4). I Cc'ed him for clarification.
At the moment enc(4) isnt really a real interface and while ipsec
traffic seems to pass through it, it actually doesnt. The ipsec code
just calls the enc code which does pfil/bpf with a preallocated enc0. Im
sure this could be extended to allow routing and other tricks.
Andrew
More information about the freebsd-net
mailing list