From owner-freebsd-hackers Tue Aug 13 11:13:48 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E964E37B400 for ; Tue, 13 Aug 2002 11:13:46 -0700 (PDT) Received: from ns3.safety.net (ns3.safety.net [216.40.201.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 929D443E65 for ; Tue, 13 Aug 2002 11:13:46 -0700 (PDT) (envelope-from les@ns3.safety.net) Received: (from les@localhost) by ns3.safety.net (8.10.2/8.10.2) id g7DIDiH14643; Tue, 13 Aug 2002 11:13:44 -0700 From: Les Biffle Message-Id: <200208131813.g7DIDiH14643@ns3.safety.net> Subject: Re: IP routing question In-Reply-To: <3D59300C.8090906@isi.edu> To: Lars Eggert Date: Tue, 13 Aug 2002 11:13:44 -0700 (MST) Cc: hackers@freebsd.org X-Mailer: ELM [version 2.4ME+ PL94 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG (snip) > You could use the draft-touch-ipsec-vpn-04.txt together with ipfw rules, > but then you say you don't want to look at IP addresses... I'm happy to look at outside addresses, just not the ones on the inside. I would also consider matching up endpoint (VPN gateway or "outside") address and SPI to know which SA a packet is arriving on, for the inbound-through-tunnel direction, and then use the vlan interface name to help select the departing tunnel, if possible. > So no, I don't see how it can be done under your constraints. Well, not perhaps without some nethacks in the kernel. I've certainly done that before, but would prefer something more vanilla. Thanks, -Les -- Les Biffle (480) 585-4099 les@safety.net http://www.les.safety.net/ Network Safety Corp., 5831 E. Dynamite Blvd., Cave Creek, AZ 85331 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message