Message-ID: <4198C1A4.8080707@globalintech.pl>
Date: Mon, 15 Nov 2004 15:48:04 +0100
From: Blizbor <kernel@globalintech.pl>
User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502)
MIME-Version: 1.0
To: Jan Engelhardt <jengelh@linux01.gwdg.de>
CC: linux-kernel@vger.kernel.org
Subject: Re: 2.6 native IPsec implementation question
References: <4198B2B6.9050803@globalintech.pl> <Pine.LNX.4.53.0411151455020.17543@yvahk01.tjqt.qr>
In-Reply-To: <Pine.LNX.4.53.0411151455020.17543@yvahk01.tjqt.qr>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1102
Lines: 34

;) My question wasn't "how does ipsec rules looks" but "why its 
implemented such a way".
These almost exactly are rules I want to implement.
But, when you run tcpdump -nni eth0 you can see ESP traffic _and_ one 
direction of something going through IPsec.
Imagine, that on eth0 five IPsec tunnels are "ended" and only one I wish 
to allow tcp/389.
It seems not possible to just allow tcp/389 from only one VPN because IP 
addresses are changing daily
in all 5 remote locations.
Moreover "-i eth0 -j DROP" blocks IPsec traffic ... (or -o eth0 i don't 
remember direction)


Jan Engelhardt wrote:

>>2. Why IPsec in 2.6 doesn't creates entries in the route tables ?
>>    
>>
>
>Because it doesnot create a device ipsecN?
>  
>
And thats the issue - WHY it is implemented such a way ?
Which developement considerations caused that choice ?

Regards,
Blizbor

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/