> On Tue, 24 Aug 1999, Matthew G. Marsh wrote:
> > > ...The more I beat my head on this stuff, the more it has
> > > to go in favour of the ipchains/netfilter model... <shaking head>
> >
> > That would be preferred. One of the main problems I have with the
> > FreeS/Wan model is the insistance on controlling the route table which is
> > an incorrect way of approaching the problem.
>
> We agree, but the re-engineering of FreeS/WAN to use ipfilter is going to
> take time, and we'd hoped to do an interim release which would work with
> the old mechanism. Doing that on the 2.2 kernels is proving unexpectedly
> difficult.
Not a problem - For the interim just do a:
ifconfig ipsec0 xxx.xxx.xxx.xxx netmask 255.255.255.255 .....
The netmask statement will prevent the kernel from autoadding the route
entry. Then add routes as you see fit.
But PLEASE make this an ugly interim hack anyway.
You should really look at the ip utility references for information on the
new state of policy routing in the 2.(>1) kernels. There is much that will
greatly assist FreeS/Wan to become what it's charter wants for it to
become. Using IPIP tunnelling (new_tunnel.c) behind the scenes is very bad
practice. If you can create the ipsec device and use it a'la dummy or
ethertap then you can have the entire thing. Backwrds compatible simply
creates an ipip tunnel and binds it to the remote and forwards compatible
includes the ability to define complex routing within the kernel structure
using the already in place structure. You will really want to get Alexey
interested if you want details/guts.
> (It's also not clear that switching to ipchains/ipfilter would solve all
> of Richard's problems. He'd still have the problem of having to fragment
> a packet because it has unexpectedly become too big. [Just cranking down
> the MTU so that such packets do not get sent is not a viable answer, for
> several reasons beyond our control.] However, the circumstances should be
> less constraining.)
Correct. But using an external tunnel system will work somewhat better. Of
course you then need to actually use ipsec device as is ethertap - a
virtual device for routing purposes. If done carefully you can even use
"real" ip addressing on such a device and thus have AH mode functional.
> Henry Spencer
> henry@spsystems.net
> (henry@zoo.toronto.edu)
Hope this can help...
--------------------------------------------------
Matthew G. Marsh, President
Paktronix Systems LLC
1506 North 59th Street
Omaha NE 68104
Phone: (402) 932-7250
Email: mgm@paktronix.com
WWW: http://www.paktronix.com
--------------------------------------------------
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/