Re: 2.6 native IPsec implementation question

From: Blizbor
Date: Mon Nov 15 2004 - 09:53:30 EST


;) My question wasn't "how does ipsec rules looks" but "why its implemented such a way".
These almost exactly are rules I want to implement.
But, when you run tcpdump -nni eth0 you can see ESP traffic _and_ one direction of something going through IPsec.
Imagine, that on eth0 five IPsec tunnels are "ended" and only one I wish to allow tcp/389.
It seems not possible to just allow tcp/389 from only one VPN because IP addresses are changing daily
in all 5 remote locations.
Moreover "-i eth0 -j DROP" blocks IPsec traffic ... (or -o eth0 i don't remember direction)


Jan Engelhardt wrote:

2. Why IPsec in 2.6 doesn't creates entries in the route tables ?



Because it doesnot create a device ipsecN?


And thats the issue - WHY it is implemented such a way ?
Which developement considerations caused that choice ?

Regards,
Blizbor

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/