Filtering IPSec traffic ?
Eric Masson
e-masson at kisoft-services.com
Tue Oct 25 06:32:57 PDT 2005
VANHULLEBUS Yvan <vanhu_bsd at zeninc.net> writes:
> And the main problem of using gif interfaces seems to be a gif + IPSec
> + filtering + forwarding problem for (at least) big TCP sessions (see
> the thread on freebsd-net).
Just checked, maybe it's a regression, this kind of setup works on a
prototype I've set up for a customer (early 5.x release) and in
production (ipsec transport/gif/ipf on 4.8 and 4.10 boxes).
> I'll try to do some tests with gif interfaces to see the advantages
> and drawbacks, but this "bug" described in the gif(4) man page seems
> to be a big drawback for me (I'm quite always using Tunnel mode for
> net-2-net IPSec tunnels):
>
> "The gif device may not interoperate with peers which are based on
> different specifications, and are picky about outer header fields.
> For example, you cannot usually use gif to talk with IPsec devices
> that use IPsec tunnel mode."
Not really a bug per se, different encap specs, nothing more.
It should interoperate with a similar setup like *BSD gifs on ipsec
transport or linux ipip on ipsec transport mode.
I've tried with gre instead of gif tunnels in the early 5.x release days
and it failed, maybe I should give it a try one of these days (too much
daily job atm...)
Éric
--
L'attitude qui consiste a rappeler a un contributeur que sa poste est
contraire a la charte du NG, me parait pedante, anale et probablement
aussi "hors-sujet". Ce qui m'enerve plus qu' une poste sur le TeX...
-+- Dr NV in GNU : Les a(nale)ventures de Docteur Juste Tex. -+-
More information about the freebsd-pf
mailing list