From owner-freebsd-net@FreeBSD.ORG  Fri Jul 30 17:35:32 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7040F16A4D2
	for <freebsd-net@freebsd.org>; Fri, 30 Jul 2004 17:35:32 +0000 (GMT)
Received: from bigass1.bitblock.com (ns1.bitblock.com [66.199.170.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 193FB43D39
	for <freebsd-net@freebsd.org>; Fri, 30 Jul 2004 17:35:32 +0000 (GMT)
	(envelope-from mitch@bitblock.com)
Received: from a1200 ([70.69.125.122])
  (AUTH: LOGIN mitch@bitblock.com)
  by bigass1.bitblock.com with esmtp; Fri, 30 Jul 2004 17:34:59 +0000
X-Abuse-Reports: Visit http://www.bitblock.com/abuse.php
X-Abuse-Reports: and submit a copy of the message headers
X-Abuse-Reports: or review our policies and procedures
X-Abuse-Reports: ID= 410A86C3.0000CF1B.bigass1.bitblock.com,dns;
	a1200 ([70.69.125.122]),AUTH: LOGIN mitch@bitblock.com
From: "Mitch (bitblock)" <mitch@bitblock.com>
To: peter@sandilands.vu, freebsd-net@freebsd.org
Date: Fri, 30 Jul 2004 10:34:58 -0700
Message-ID: <OCEGLFACMGOKINMEOKANGEEDDHAA.mitch@bitblock.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
Importance: Normal
In-Reply-To: <IOEHIPOKAPPDDMNJNKKGCEPPCFAA.peter@sandilands.vu>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Subject: RE: ipsec packet filtering
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2004 17:35:32 -0000

> But by adding the following option to the kernel conf file you can get
> the processing path I think you are asking for??
>
> options		IPSEC_FILTERGIF (documented in LINT)
>
> This then causes the decrypted packet to be passed thru IPFW again.
>
> Be aware this has significant consequences for where you do NAT in the
> ruleset and requires very careful crafting of the IPFW rules
>
> Pete


ok.

Will this allow me to do the following:

Client 1 <--\
           FREEBSD ROUTER <----> Internet
Client 2 <--/

Client 1, although on the same subnet as client 2, can not directly connect
to Client 2. This is an underlying restriction of the ATM transport of the
telco we deal with. No option.

I want to connect client 1, and client 2. I can create a VPN from client 1
to central router, and client 2 to central router. In the past, I could not
route this traffic.

Are you saying this should be possible now?

Thanks.

m/