On Sun, Dec 11, 2016 at 03:09:28PM +0300, Andrey V. Elsukov wrote: > On 11.12.2016 14:58, Slawa Olhovchenkov wrote: > >> No. An encapsulated by gif(4) packet is considered as own packet. The > >> described change is related to transport mode policies, that are match > >> forwarded packets, i.e. when source and destination addresses are not > >> our own. In this case we can't handle the returned packets. > > > > What difference with source packets? > > Whu you can handle sourced and can't handle returned packets? > > IPsec is a set of protocol handlers - ESP/AH/IPcomp. Inbound packets are > handled by security association with given destination address and SPI. > If returned packets aren't destined to your address, protocol handlers > will not handle them.
SA can't contains not may address? Surpised to me. Or I missunderstund you. > Outbound packets are handled by matching security policy. A needed > security association are looking using the address selector from > security policy. If security association that matches to a packet is > found, a packet will be handled by protocol handler. > > -- > WBR, Andrey V. Elsukov > _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
