From owner-freebsd-net  Fri Sep 21  3:17:21 2001
Delivered-To: freebsd-net@freebsd.org
Received: from day.anthologeek.net (day.anthologeek.net [212.43.217.20])
	by hub.freebsd.org (Postfix) with ESMTP id E0E3737B418
	for <freebsd-net@FreeBSD.ORG>; Fri, 21 Sep 2001 03:17:18 -0700 (PDT)
Received: by day.anthologeek.net (Postfix, from userid 1000)
	id 035AD171D4; Fri, 21 Sep 2001 12:16:45 +0200 (CEST)
Date: Fri, 21 Sep 2001 12:16:45 +0200
From: Sameh Ghane <sw@anthologeek.net>
To: freebsd-net@FreeBSD.ORG
Subject: Re: ipfilter and IPSec processing order
Message-ID: <20010921121645.K77863@anthologeek.net>
References: <sw@anthologeek.net> <200109210857.f8L8v0R34477@hak.lan.Awfulhak.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200109210857.f8L8v0R34477@hak.lan.Awfulhak.org>; from brian@freebsd-services.com on Fri, Sep 21, 2001 at 09:56:58AM +0100
X-PGP-Keys: 0x1289F00D: <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1289F00D>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Le (On) Fri, Sep 21, 2001 at 09:56:58AM +0100, Brian Somers ecrivit (wrote):
> Hi,
> 
> I can't answer your question specifically as I've never used 
> ipfilter, but it's certainly possible to use natd at the same time as 
> IPSEC... the vital thing is to ensure that no traffic is altered by 
> both engines.

Hum, do you use ipfw with filtering rules ? If so, what is the processing order
between ipfw and ipsec ?

> Using a gif tunnel (which you are already) and encrypting only ipencap 
> traffic in your spdadd/transport policy should mean that the nat 
> engine either sees regular traffic (that should be NATd) or ipencap 
> traffic (which shouldn't be NATd, and won't as the src address is the 
> gateway address).
> 
> So the bit you may be missing is the ``ip4'' bit in the setkey spdadd 
> line....

Okay, I patched /usr/src/usr.sbin/setkey and /usr/include/net/pfkeyv2.h, and now
only encapsulated traffic is encrypted/decrypted.

Unfortunately, I still have ipf catching twice the IPsec packets (once
encapsulated, once decapsulated).

Grrr. Still trying to get rid of this.

Cheers,

-- 
Sameh

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message