From owner-freebsd-stable  Tue Nov 26  2: 5:45 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D67CD37B401
	for <FreeBSD-stable@FreeBSD.ORG>; Tue, 26 Nov 2002 02:05:43 -0800 (PST)
Received: from musique.teaser.net (musique.teaser.net [213.91.2.11])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A74EE43EBE
	for <FreeBSD-stable@FreeBSD.ORG>; Tue, 26 Nov 2002 02:05:42 -0800 (PST)
	(envelope-from e-masson@kisoft-services.com)
Received: from notbsdems.nantes.kisoft-services.com (nantes.kisoft-services.com [193.56.60.243])
	by musique.teaser.net (Postfix) with ESMTP
	id C654372643; Tue, 26 Nov 2002 11:05:40 +0100 (CET)
Received: by notbsdems.nantes.kisoft-services.com (Postfix, from userid 1001)
	id 3F2365A251; Tue, 26 Nov 2002 11:04:01 +0100 (CET)
To: Ari Suutari <ari.suutari@syncrontech.com>
Cc: greg.panula@dolaninformation.com,
	David Kelly <dkelly@HiWAAY.net>, FreeBSD-stable@FreeBSD.ORG
Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw?
References: <200211142157.57459.dkelly@HiWAAY.net>
	<200211180854.29349.ari.suutari@syncrontech.com>
	<86n0nxsiko.fsf@notbsdems.nantes.kisoft-services.com>
	<200211260837.02019.ari.suutari@syncrontech.com>
From: Eric Masson <e-masson@kisoft-services.com>
In-Reply-To: <200211260837.02019.ari.suutari@syncrontech.com> (Ari Suutari's
 message of "Tue, 26 Nov 2002 08:37:02 +0200")
X-Operating-System: FreeBSD 4.7-STABLE i386
Date: Tue, 26 Nov 2002 11:04:00 +0100
Message-ID: <86n0nwr6jz.fsf@notbsdems.nantes.kisoft-services.com>
User-Agent: Gnus/5.090008 (Oort Gnus v0.08) XEmacs/21.4 (Common Lisp,
 i386--freebsd)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

>>>>> "Ari" == Ari Suutari <ari.suutari@syncrontech.com> writes:

 Ari> My problem with the previous solution was that I wasn't able to
 Ari> completely filter traffic flowing from ipsec tunnel because
 Ari> detunneled packets arriving to local node were never passed to
 Ari> ipfw.

Ok, this is a real flaw, but I was living with it :)

 Ari> 	Maybe the solution would be to start using gif devides and ipsec
 Ari> transport mode, which would make it possible to filter encrypted
 Ari> and unencrypted packets separately.

Yes, gifs + ipsec transport would be one solution (with the side effect
of explicit routing tables), but what about an esp interface (or
whatever name) on which detunneled packets would pass.

Eric Masson

-- 
 Etant nouveau, certains termes m'échappent encore. Mail Bombing !
 Kesako ? Comment on pose la bombe ? et comment on règle le minuteur ?
 Quelle est la portée du missile ?
 -+-TIB in <http://www.le-gnu.net> : Bien configurer son kernel -+-

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message