Re: 2.6 native IPsec implementation question
From: Andreas Unterkircher
Date: Tue Nov 16 2004 - 12:50:45 EST
FYI: openswan is working on a rebirth of klips (ipsecX interfaces)
for 2.6 kernels
http://www.openswan.org/
Andi
Am Montag, den 15.11.2004, 14:44 +0100 schrieb Blizbor:
> Greetings,
>
> I hope, this is right place to ask my questions.
>
> 1. Why IPsec in 2.6 doesn't uses separate interface ?
> It makes impossible to implement firewall logic like this (or I'm
> missing something):
>
> incoming from eth0 allow AH
> incoming from eth0 allow ESP
> incoming from eth0 allow udp 500
> incoming from eth0 allow udp 53
> incoming from eth0 allow ICMP related
> incoming from eth0 deny all
>
> then set of filters restricting traffic incoming via IPsec for examle:
> incoming from ipsec0 allow tcp 389
> incoming from ipsec0 allow ICMP related
> incoming from ipsec0 deny all
>
> (please consider roadwarrior client with not known IP address)
>
> 2. Why IPsec in 2.6 doesn't creates entries in the route tables ?
> It's a bit confusing when 'ip route list' doesnt makes you aware that
> some traffic is going somwhere else than defined in route tables.
>
> (you must know that there is IPsec in use on the host, then you are using
> setkey to list rules, and then you must analyse rules to catch routes -
> ugly solution.)
>
>
> Reards,
> Blizbor
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/