Date: Tue, 26 Nov 2002 08:37:02 +0200 From: Ari Suutari <ari.suutari@syncrontech.com> To: Eric Masson <e-masson@kisoft-services.com> Cc: greg.panula@dolaninformation.com, David Kelly <dkelly@HiWAAY.net>, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? Message-ID: <200211260837.02019.ari.suutari@syncrontech.com> In-Reply-To: <86n0nxsiko.fsf@notbsdems.nantes.kisoft-services.com> References: <200211142157.57459.dkelly@HiWAAY.net> <200211180854.29349.ari.suutari@syncrontech.com> <86n0nxsiko.fsf@notbsdems.nantes.kisoft-services.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Monday 25 November 2002 18:46, Eric Masson wrote: > In my case, the lan joined by the vpn use rfc1918 adresses, and if I > want the vpn traffic to flow correctly, I must invalidate incoming > rfc1918 address checking on the external firewall interface. I don't > think it increases security ;) =09True :-( I used to have network like this but we were able to =09obtain a bunch of public ip addresses so I didn't think about =09this. My problem with the previous solution was that I wasn't =09able to completely filter traffic flowing from ipsec tunnel because =09detunneled packets arriving to local node were never passed to ipfw. =09Maybe the solution would be to start using gif devides and ipsec =09transport mode, which would make it possible to filter =09encrypted and unencrypted packets separately. I haven't tried =09this but there seems to be a lot of discussion on it currently. =09=09Ari S. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211260837.02019.ari.suutari>