2.6 native IPsec implementation question

From: Blizbor
Date: Mon Nov 15 2004 - 08:45:59 EST


I hope, this is right place to ask my questions.

1. Why IPsec in 2.6 doesn't uses separate interface ?
It makes impossible to implement firewall logic like this (or I'm missing something):

incoming from eth0 allow AH
incoming from eth0 allow ESP
incoming from eth0 allow udp 500
incoming from eth0 allow udp 53
incoming from eth0 allow ICMP related
incoming from eth0 deny all

then set of filters restricting traffic incoming via IPsec for examle:
incoming from ipsec0 allow tcp 389
incoming from ipsec0 allow ICMP related
incoming from ipsec0 deny all

(please consider roadwarrior client with not known IP address)

2. Why IPsec in 2.6 doesn't creates entries in the route tables ?
It's a bit confusing when 'ip route list' doesnt makes you aware that
some traffic is going somwhere else than defined in route tables.

(you must know that there is IPsec in use on the host, then you are using
setkey to list rules, and then you must analyse rules to catch routes - ugly solution.)

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/