From owner-freebsd-stable  Tue Nov 19  3: 3:43 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2891B37B404
	for <FreeBSD-stable@FreeBSD.ORG>; Tue, 19 Nov 2002 03:03:42 -0800 (PST)
Received: from gvr.gvr.org (gvr.gvr.org [212.61.40.17])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8245A43E6E
	for <FreeBSD-stable@FreeBSD.ORG>; Tue, 19 Nov 2002 03:03:40 -0800 (PST)
	(envelope-from guido@gvr.org)
Received: by gvr.gvr.org (Postfix, from userid 657)
	id AC4D529B; Tue, 19 Nov 2002 12:03:36 +0100 (CET)
Date: Tue, 19 Nov 2002 12:03:36 +0100
From: Guido van Rooij <guido@gvr.org>
To: Scott Ullrich <sullrich@CRE8.COM>
Cc: 'Archie Cobbs' <archie@dellroad.org>,
	"'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>,
	David Kelly <dkelly@hiwaay.net>, FreeBSD-stable@FreeBSD.ORG
Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw?
Message-ID: <20021119110336.GA12956@gvr.gvr.org>
References: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C35@exchange.corp.cre8.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C35@exchange.corp.cre8.com>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Sun, Nov 17, 2002 at 05:44:38PM -0500, Scott Ullrich wrote:
> I have reverted back to revision 1.130.2.39 of ip_input.c and that solved my
> issues!
> 
> Guido, I am running IPFW2.  If there is anything you need from me to help
> fix this issue, please let me know.
> 

I am not convinced that anything needs to be fixed.
From reading the thread in -stable, I can not see what you are trying to do.

If you are using gif tunnels for ipsec, where the packets are sent into
a gif tunnel and then, using the encapsulated packets, are encrypted,
then indeed there is a change.
The change is that packets going into, and coming out of, the gif tunnel
are from now on filtered as well. And this is exactly what is to be expected.
So you'll need a rule on the physical interfase allwoing ESP/AH packets
and ISAKMP traffic, and on the gif interface you'll need rules for the
unencrypted content of the packets. 

If you have another setup, please explain how it is setup and I can
try to understand if anything is wrong.

-Guido

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message