Date: Tue, 26 Nov 2002 08:37:02 +0200 From: Ari Suutari <ari.suutari@syncrontech.com> To: Eric Masson <e-masson@kisoft-services.com> Cc: greg.panula@dolaninformation.com, David Kelly <dkelly@HiWAAY.net>, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? Message-ID: <200211260837.02019.ari.suutari@syncrontech.com> In-Reply-To: <86n0nxsiko.fsf@notbsdems.nantes.kisoft-services.com> References: <200211142157.57459.dkelly@HiWAAY.net> <200211180854.29349.ari.suutari@syncrontech.com> <86n0nxsiko.fsf@notbsdems.nantes.kisoft-services.com>
index | next in thread | previous in thread | raw e-mail
Hi, On Monday 25 November 2002 18:46, Eric Masson wrote: > In my case, the lan joined by the vpn use rfc1918 adresses, and if I > want the vpn traffic to flow correctly, I must invalidate incoming > rfc1918 address checking on the external firewall interface. I don't > think it increases security ;) True :-( I used to have network like this but we were able to obtain a bunch of public ip addresses so I didn't think about this. My problem with the previous solution was that I wasn't able to completely filter traffic flowing from ipsec tunnel because detunneled packets arriving to local node were never passed to ipfw. Maybe the solution would be to start using gif devides and ipsec transport mode, which would make it possible to filter encrypted and unencrypted packets separately. I haven't tried this but there seems to be a lot of discussion on it currently. Ari S. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the messagehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211260837.02019.ari.suutari>