IPSEC clarifications

[Volker]

Hi folks,

I'm wondering if someone please could clarify some IPSec specific
questions to me?

IPSEC_FILTERGIF:

What are the consequences when enabling this if one does use IPSEC
(or FAST_IPSEC) w/o any GIF tunnels? Are there any or does
IPSEC_FILTERGIF only influence packet flow with gif devices?

NOTES says:
# Set IPSEC_FILTERGIF to force packets coming through a gif tunnel
# to be processed by any configured packet filtering (ipfw, ipf).
# The default is that packets coming from a tunnel are _not_ processed;
# they are assumed trusted.

But I've found signs in the archives even while not using gif
tunnels with IPSec packets are getting filtered with FILTERGIF
option. I might be wrong about this.


device enc:

I haven't been aware of the fact that we already have such a device.
There's a man page (man 4 enc) but it's not in NOTES or GENERIC. Is
the enc(4) man page correct and up to date?

Shouldn't there at least be a note in NOTES somewhere around the
options FAST_IPSEC line with a hint for enc(4)?

Is just compiling device enc into the kernel, using options
FAST_IPSEC and passing (or blocking) traffic on interface enc0 using
pf rules all one has to do?


IPSEC / FAST_IPSEC:

What is the (say) 'official' recommended option to use? Where are
the differences, what are the consequences while using one or the
other? Will both do the same w/o any consequences for the admin?


I'm currently in the process of checking for migration to racoon2
and need to re-check every IPSec related setup.

Thanks,

Volker