On Monday 15 December 2003 11:55 pm, Sven-Haegar Koch wrote:
> On Mon, 15 Dec 2003, Antony Stone wrote:
> >
> > I have used IPtables + FreeS/WAN a fair amount, and I created a diagram
> > some time ago which showed the (surprisingly complex) route packets take
> > through the system when you have such a combination.
>
> FreeS/WAN is different than the in-kernel IPsec of 2.6
>
> The in-kernel ipsec does not have an ipsec0 virtual interface, that is
> where the problem come from - I don't see a way yet to destinguish
> decapsulated ipsec traffic from eth0 to eth1 from raw traffic between the
> two interfaces.
Ah. I have yet to play with the features of 2.6 kernels, therefore I didn't
realise that this version of IPsec has such a drawback compared to FreeS/WAN.
It may be that the higher efficiency of the in-kernel version means there is
less userspace information available about where packets came from or are
going to...
Please let us know if you find a solution to this - I'm sure many of us will
encounter this sort of thing in the future once 2.6 becomes standard.
Antony.
--
Success is a lousy teacher. It seduces smart people into thinking they can't
lose.
- William H Gates III
Please reply to the list;
please don't CC me.
