showing esp tunnels in routing table
Sam Leffler
sam at errno.com
Wed Sep 6 09:53:13 PDT 2006
Andre Oppermann wrote:
> Sam Leffler wrote:
>> Eric W. Bates wrote:
>>> Phil Regnauld wrote:
>>>> Eric W. Bates (ericx_lists) writes:
>>>>> When you establish an esp tunnel, the subnets on the remote end of the
>>>>> tunnel do not seem to appear in either "netstat -nr" or 'route get
>>>>> xxx.xxx.xxx.xxx'
>>>>>
>>>>> Is there a way to display those routes other than using setkey to dump
>>>>> the SPD's?
>>>> No, because there are no routes. The IPSec layer "hijacks" the
>>>> packets
>>>> and they are encapsulated before the routing table gets a chance
>>>> to see them.
>>>>
>>>> You would have to setup transport ESP + gif/gre tunnels to see
>>>> routing
>>>> entries.
>>> Apparently, openbsd's implementation of netstat allows one to view ESP
>>> 'flows' (I believe that is how they refer to them) by examining the
>>> family 'encap'
>>>
>>> netstat -rnf encap
>>>
>>> We have no such equivalent?
>>
>> openbsd integrated the SAD w/ the routing table; something I've wanted
>> to do forever.
>
> Having it in a separate radix tree (aka routing table) is just fine.
> Integrating it with the IPv4/6 routing table is evil and would cause
> me some heartburn.
>
The main point is to integrate routing decisions. I've also felt the
locking overhead in IPsec could be significantly reduced by flattening
the data structures. I don't care how things are implemented.
Sam
More information about the freebsd-net
mailing list