Sorry for the noise: the webmail ate my message. Here is the full version: Hi all,
I set up IPsec between several FreeBSD 11-RELEASE hosts. IKEv2 is managed by security/openiked. I use pf to filter the traffic, and the rulesets include several references to the enc0 pseudo-interface, which allow inbound traffic filtering *after* IPsec decryption. So far, the whole configuration works fine. I noticed that the enc0 pseudo-interface was not shown in the output of the `ifconfig` command, whereas it is on OpenBSD. AFAIK, the GENERIC kernel does not include the enc pseudo-device, since I could not fine a "device enc" line in the kernel config file. The lack of such adevice would explain why it is not manageable as a network interface, and why `ifconfig enc0 create` fails. Yet, it appears that pf is able to handle references to enc(4) in its ruleset even if the kernel does not support it. Is it expected behaviour? Is it safe to use such a configuration on a production machine ? Thanks, Marin. 20 mars 2017 14:20 "Marin Bernard" a écrit: > Hi all, > > I've just set up IPsec between two FreeBSD 11-RELEASE hosts with > security/openiked. > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" > _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
