>
> Should I be able to "tcpdump -i gif0"? tcpdump indicates it's listening
> on gif0 but I never capture anything.
>
> My gif's look like this:
> gif0: flags=8091<UP,POINTOPOINT,NOARP,MULTICAST> mtu 1440
> inet 10.3.1.1 --> 10.3.2.1 netmask 0xffffffff
> physical address inet 207.76.205.83 --> 207.76.205.115
>
> My route to 10.3.2/24 is via gif0 (from netstat -nr):
> 10.3.2/24 10.3.2.1 UGSc 0 0 gif0
> 10.3.2.1 10.3.1.1 UH 3 132 gif0
>
> Using the gifs for a LAN-LAN VPN. Thanks.
Traffic going over an ESP tunnel never actual transits the tunnel
interface. In fact, if you arrange to have the right routes installed,
you don't even need the gif interface at all. From some recent experiments
I've done, the gif interface seems to be used only for:
- side effect of installed host routes which are needed when
matching the IPSEC policy specification
- carrying traffic that isn't matching the IPSEC policy specification
(if there is any at all)
I found this very counter intuitive; however, if you do a tcpdump on the
physical interface carrying the tunnel traffic, you'll see that the IPSEC
traffic isn't in an ipip encapsulation at all.
Yes, I found this very counter-intuititve. From what I can tell, there's
no easy way to do a tcpdump and see the unencrypted traffic as it exits
the IPSEC tunnel. What I may try next is to specify a transport-mode
IPSEC policy that covers the gif interface tunnel endpoints, but I don't
know if that wll work or not.
louie
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
