Andre Oppermann wrote: > Sam Leffler wrote: >> Eric W. Bates wrote: >>> Phil Regnauld wrote: >>>> Eric W. Bates (ericx_lists) writes: >>>>> When you establish an esp tunnel, the subnets on the remote end of the >>>>> tunnel do not seem to appear in either "netstat -nr" or 'route get >>>>> xxx.xxx.xxx.xxx' >>>>> >>>>> Is there a way to display those routes other than using setkey to dump >>>>> the SPD's? >>>> No, because there are no routes. The IPSec layer "hijacks" the >>>> packets >>>> and they are encapsulated before the routing table gets a chance >>>> to see them. >>>> >>>> You would have to setup transport ESP + gif/gre tunnels to see >>>> routing >>>> entries. >>> Apparently, openbsd's implementation of netstat allows one to view ESP >>> 'flows' (I believe that is how they refer to them) by examining the >>> family 'encap' >>> >>> netstat -rnf encap >>> >>> We have no such equivalent? >> >> openbsd integrated the SAD w/ the routing table; something I've wanted >> to do forever. > > Having it in a separate radix tree (aka routing table) is just fine. > Integrating it with the IPv4/6 routing table is evil and would cause > me some heartburn. >
The main point is to integrate routing decisions. I've also felt the locking overhead in IPsec could be significantly reduced by flattening the data structures. I don't care how things are implemented. Sam _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"