Re: ipsec with ipfw

2017-03-13 Thread Hooman Fazaeli
On 2017-03-13 11:01, Andrey V. Elsukov wrote: On 12.03.2017 00:23, Hooman Fazaeli wrote: Hi, As you know the ipsec/setkey provide limited syntax to define security policies: only a single subnet/host, protocol number and optional port may be used to specify traffic's source and destination. I

Re: ipsec with ipfw

2017-03-13 Thread Andrey V. Elsukov
On 12.03.2017 00:23, Hooman Fazaeli wrote: > Hi, > > As you know the ipsec/setkey provide limited syntax to define security > policies: only a single subnet/host, protocol number and optional port > may be used to specify traffic's source and destination. > > I was thinking about the idea of usin

Re: ipsec with ipfw

2017-03-12 Thread Slawa Olhovchenkov
On Sat, Mar 11, 2017 at 09:53:39PM -0800, Ermal Luçi wrote: > On Sat, Mar 11, 2017 at 2:16 PM, Slawa Olhovchenkov wrote: > > > On Sun, Mar 12, 2017 at 12:53:44AM +0330, Hooman Fazaeli wrote: > > > > > Hi, > > > > > > As you know the ipsec/setkey provide limited syntax to define security > > > po

Re: ipsec with ipfw

2017-03-11 Thread Ermal Luçi
On Sat, Mar 11, 2017 at 2:16 PM, Slawa Olhovchenkov wrote: > On Sun, Mar 12, 2017 at 12:53:44AM +0330, Hooman Fazaeli wrote: > > > Hi, > > > > As you know the ipsec/setkey provide limited syntax to define security > > policies: only a single subnet/host, protocol number and optional port > > may

Re: ipsec with ipfw

2017-03-11 Thread Slawa Olhovchenkov
On Sun, Mar 12, 2017 at 12:53:44AM +0330, Hooman Fazaeli wrote: > Hi, > > As you know the ipsec/setkey provide limited syntax to define security > policies: only a single subnet/host, protocol number and optional port > may be used to specify traffic's source and destination. > > I was thinking

Re: ipsec with ipfw divert (not NAT) encodes a packet twice breaking PMTUD

2006-09-11 Thread Eugene Grosbein
Kelly Yancey wrote: > Just FYI, when we implemented the enc interface for FreeBSD 4.10 for > one of our products at work, we encountered a similar issue. The > problem is that you need to add a flag to the sockaddr_in passed to the > divert(4) consumer; when that consumer re-injects the packets

Re: ipsec with ipfw divert (not NAT) encodes a packet twice breaking PMTUD

2006-09-11 Thread Julian Elischer
Eugene Grosbein wrote: Submitter-Id: current-users Originator: Eugene Grosbein Organization: Svyaz Service JSC Confidential: no Synopsis: ipsec with ipfw divert (not NAT) encodes a packet twice breaking PMTUD Severity: serious Priority: high Category: kern Clas

Re: ipsec with ipfw divert (not NAT) encodes a packet twice breaking PMTUD

2006-09-11 Thread Kelly Yancey
On Mon, 11 Sep 2006, Eugene Grosbein wrote: > > >Submitter-Id:current-users > >Originator: Eugene Grosbein > >Organization:Svyaz Service JSC > >Confidential:no > >Synopsis:ipsec with ipfw divert (not NAT) encodes a packet twice > >breaking PMTUD > >Severity:seriou