IPsec: is it possible to encrypt transit traffic in transport mode?
Eugene Grosbein
eugen at grosbein.net
Fri Nov 30 10:27:57 UTC 2018
30.11.2018 16:22, Andrey V. Elsukov wrote:
> There is one problem. IPsec won't handle inbound packets, that are not
> destined to your IP address. Inbound packets are handled based on the
> destination address, protocol and SPI value, so if ip_input() doesn't
> decide that ESP packet is for your host, it will not invoke
> IPSEC_INPUT() and encrypted packet will be routed as is.
That's why I use gif tunnels for such packets :-)
More information about the freebsd-net
mailing list