On Tue, Feb 17, 2009 at 02:04:43PM +0100, Martin Hilpert wrote: > i need the ipsecX device for doing the routing stuff with quagga and for > Firewall rules I am not sure about quagga, but I used use ipsecX for firewall rules as well, but if you check out iptables there are new(? old by now) function for picking ipsec'ed packets. The simplest is to mark the packet whilst its encapsulated and restore the mark once it is un encapsulated you can match on policy, there are ways around it note it has been a while since I play with ipsec, the time i was using it was around the time of freeswan openswan and the 2 ipsec stacks. I believe the in kernel stack won, but with the swan userland tools much easier to use. I had become used to use the ipsecX interfaces, but with a bit of reading and relooking at the problem found that I could do all the stuff I wanted to with the new tools. my understanding of the packet path is for inbound terminating on this box you see the packet twice, once as an encrypted packet (presuming you are using that feature) and then once as an unencrypted packet. but on the way out you only see the unencrypted packet. routing should still be the same though, the encrypted endpoint it available via the normal nic interface instead of a ipsecX. One problem we faced was with multiple paths ( redundant links ) Alex > > -- > Martin Hilpert > > > > -- > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > > -- "I believe we are called to do the hard work to make our communities and quality of life a better place." - George W. Bush 01/05/2005 Collinsville, IL
Attachment:
signature.asc
Description: Digital signature