Remko Lodder wrote:
Hi friends,
I was looking around for using IPsec services instead of
OpenVPN services, but I found out that with our current
implementation of IPsec, we cannot actually route packets
through the various IPsec hops [1]. OpenBSD adds IPsec
flows in their routing table, making it possible to route
traffic between IPsec tunnels.
Can someone either confirm my above statement that FreeBSD
is indeed not capable of doing this?
It's not an implementation issue, but a design problem with
IPsec tunnel mode. See RFC3884:
<http://www.ietf.org/rfc/rfc3884.txt>
The proposed solution is to use IP-IP tunnel (gif iface in
FreeBSD, which you can route) then apply IPsec transport mode
on the outer header. Refer to the rfc for more detail.
The policy will be different, but we've verified long ago
with FreeBSD that it works. The packets on the wire is
compatible with regular tunnel mode IPsec.
yushun
In the case that does not exist yet, are there others that
also like this feature? And is there someone who can do
the coding in that case? (I am not skilled enough to do
this).
I hope to get some good feedbacks :-)
Please keep me CC'ed since I am not subscribed to the
list.
Thanks a lot!
Cheers,
Remko
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
