Filtering IPSec traffic ?

VANHULLEBUS Yvan vanhu_bsd at zeninc.net
Tue Oct 25 05:43:08 PDT 2005


On Tue, Oct 25, 2005 at 02:23:49PM +0200, Eric Masson wrote:
> VANHULLEBUS Yvan <vanhu_bsd at zeninc.net> writes:
> 
> Hi Yvan,

Hi Eric :-)


> > That's the problem: enc0 doesn't seems to exists, at least on my
> > FreeBSD6 gate (perhaps I missed something in the configuration, or
> > perhaps this is not a "real" interface ?) !!!
> 
> The enc(4) interface doesn't exist in FreeBSD.

Yep, unfortunately...


> Atm, I use gif tunnels and transport mode beetween gateways, so I'm able
> to filter on gifs. The other main advantage in my case is that routing
> is explicit (no SPD inspection to check how packets are treated by the
> stack)

And the main problem of using gif interfaces seems to be a gif + IPSec
+ filtering + forwarding problem for (at least) big TCP sessions (see
the thread on freebsd-net).

I'll try to do some tests with gif interfaces to see the advantages
and drawbacks, but this "bug" described in the gif(4) man page seems
to be a big drawback for me (I'm quite always using Tunnel mode for
net-2-net IPSec tunnels):

"The gif device may not interoperate with peers which are based on
different specifications, and are picky about outer header fields.
For example, you cannot usually use gif to talk with IPsec devices
that use IPsec tunnel mode."



Yvan.


More information about the freebsd-pf mailing list