Single IP host and IPsec tunnel mode experience
Terry Lambert
tlambert2 at mindspring.com
Tue Apr 15 23:53:14 PDT 2003
"Crist J. Clark" wrote:
> On Thu, Apr 10, 2003 at 11:15:11AM -0500, Jacques A. Vidrine wrote:
> > So, KAME/IPsec experts ... have I gone atray with my configuration?
> > Or is this simply not doable within the KAME framework?
> > Or is this a bug (assuming my theory that packets are matched against
> > the SPD again after de-encapsulation is correct)?
>
> 'uname -a'? I can't reproduce this on a 4.8 to 4.7 tunnel. On
> 192.168.64.70,
>
> spdadd 192.168.64.70/32 10.0.0.0/24 any -P out
> ipsec esp/tunnel/192.168.64.70-192.168.64.20/require;
> spdadd 10.0.0.0/24 192.168.64.70/32 any -P in
> ipsec esp/tunnel/192.168.64.20-192.168.64.70/require;
FWIW, we ran into this same problem.
Deleting the default route fixed it, for some reason. I never
did track it down because we stopped shipping with IPSEC enabled,
because of the huge overhead it had for all IPv4 connections
(each connection eats a large chunk of RAM, which doesn't happen
in the IPv6 case). I keep meaning to fix this, but I'm always
hoping that the KAME people get to it first (on the other hand,
maybe they don't *want* it fixed, to encourage people to use
IPv6 instead ;^)).
-- Terry
More information about the freebsd-hackers
mailing list