From owner-freebsd-net Tue Oct 1 5:21:34 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 45DF737B401 for ; Tue, 1 Oct 2002 05:21:33 -0700 (PDT) Received: from gvr.gvr.org (gvr.gvr.org [212.61.40.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 649BE43E4A for ; Tue, 1 Oct 2002 05:21:32 -0700 (PDT) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id C2843AD; Tue, 1 Oct 2002 14:21:30 +0200 (CEST) Date: Tue, 1 Oct 2002 14:21:30 +0200 From: Guido van Rooij To: freebsd-net@freebsd.org Subject: non-transparent IPsec via a tun interface? Message-ID: <20021001122130.GA14155@gvr.gvr.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a firewall system that has a dedicated interface on which nly IPsec traffic is going out and comming in. The firewall encrypts and decrypts these packets. I am using Ipfilter on that system and I would like to filter on the unencrypted content, both incoming and outgoing. The problem is that on the "IPsec interface" I only see the encrypted traffic. Is there a way to make IPsec be non-transparent? E.g: have a /dev/tun interface that is the non-encrypted variant of the dedicated ipsec interface? (I route pakets into the tun interface and they are encrypted and put out of the real dedicated interface, and vice versa: if IPsec traffic come into the real interface, they are decrypted and send thorugh the tunnel) -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message