On Mon, Jan 29, 2007 at 10:16:47AM -0800, Russell Mitchell wrote:
> I might have expected the traffic to remain encrypted, an effect of the
> policy being 'latched'.
>
> Is this the desired behavior?
Let me quote ipsec(7P)'s /dev/ip ndd parameters:
icmp_accept_clear_messages If equal to 1 (the default),
allow certain cleartext icmp
messages to bypass policy. For
ICMP echo requests ("ping" mes-
sages), protect the response
like the request. If zero, treat
icmp messages like other IP
traffic.
We allow cleartext ICMP messages for two big reasons:
1.) Diagnosibility with ping(1m). You're seeing this.
2.) ICMP Path MTU messages - VERY useful in VPN settings.
Dan
