[RFC/RFT] projects/ipsec
Andrey V. Elsukov
ae at FreeBSD.org
Sun Dec 11 11:34:20 UTC 2016
On 11.12.2016 12:13, Eugene Grosbein wrote:
> 11.12.2016 6:07, Andrey V. Elsukov пишет:
>
>> * use transport mode IPsec for forwarded IPv4 packets now unsupported.
>> This matches the IPv6 behavior, and since we can handle the replies, I
>> think it is useless.
>
> Does it include a case of packets going from LAN and forwarded into
> gif(4) tunnel
> connected to remote IPSEC gateway and encrypted with transport mode?
>
> That is, will this configuration break?
No. An encapsulated by gif(4) packet is considered as own packet. The
described change is related to transport mode policies, that are match
forwarded packets, i.e. when source and destination addresses are not
our own. In this case we can't handle the returned packets.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 541 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20161211/2435c974/attachment.sig>
More information about the freebsd-net
mailing list