showing esp tunnels in routing table
Andre Oppermann
andre at freebsd.org
Wed Sep 6 09:17:59 PDT 2006
Sam Leffler wrote:
> Eric W. Bates wrote:
>> Phil Regnauld wrote:
>>> Eric W. Bates (ericx_lists) writes:
>>>> When you establish an esp tunnel, the subnets on the remote end of the
>>>> tunnel do not seem to appear in either "netstat -nr" or 'route get
>>>> xxx.xxx.xxx.xxx'
>>>>
>>>> Is there a way to display those routes other than using setkey to dump
>>>> the SPD's?
>>> No, because there are no routes. The IPSec layer "hijacks" the packets
>>> and they are encapsulated before the routing table gets a chance
>>> to see them.
>>>
>>> You would have to setup transport ESP + gif/gre tunnels to see routing
>>> entries.
>> Apparently, openbsd's implementation of netstat allows one to view ESP
>> 'flows' (I believe that is how they refer to them) by examining the
>> family 'encap'
>>
>> netstat -rnf encap
>>
>> We have no such equivalent?
>
> openbsd integrated the SAD w/ the routing table; something I've wanted
> to do forever.
Having it in a separate radix tree (aka routing table) is just fine.
Integrating it with the IPv4/6 routing table is evil and would cause
me some heartburn.
--
Andre
More information about the freebsd-net
mailing list