From owner-freebsd-net Tue Oct 1 6:40:21 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 060EB37B401 for ; Tue, 1 Oct 2002 06:40:20 -0700 (PDT) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B9A843E75 for ; Tue, 1 Oct 2002 06:40:19 -0700 (PDT) (envelope-from julian@elischer.org) Received: from InterJet.elischer.org ([12.232.206.8]) by sccrmhc01.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20021001134018.RVNI6431.sccrmhc01.attbi.com@InterJet.elischer.org>; Tue, 1 Oct 2002 13:40:18 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id GAA86850; Tue, 1 Oct 2002 06:34:30 -0700 (PDT) Date: Tue, 1 Oct 2002 06:34:29 -0700 (PDT) From: Julian Elischer To: Guido van Rooij Cc: freebsd-net@freebsd.org Subject: Re: non-transparent IPsec via a tun interface? In-Reply-To: <20021001122130.GA14155@gvr.gvr.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have done similar to this using teh GIF interface. Each tunnel between sites had a gif interface and I firewalled for only ESP packets to and from the correct machines on the external interface, and for correct packets for permitted protocols and ports on the unencrypted data on the gif interfaces. Since then I have stoped using th e Gif interfaces and have started tunnelling using mpd across a udp connection, which in turn is IPSEC encrypted. Instead of firewalling on the gif inerfaces I now do it on the ng interface. The reason for using mpd is to use multilink PPP for the tunnels. I have multiple unnels on differnt ISPS between sites so that if one ISP gets ill (which happens a bit), the connection suffers a bandwidth degradation but is still useable. On Tue, 1 Oct 2002, Guido van Rooij wrote: > I have a firewall system that has a dedicated interface on which nly > IPsec traffic is going out and comming in. The firewall > encrypts and decrypts these packets. > > I am using Ipfilter on that system and I would like to filter on > the unencrypted content, both incoming and outgoing. > > The problem is that on the "IPsec interface" I only see the encrypted > traffic. > > Is there a way to make IPsec be non-transparent? > > E.g: have a /dev/tun interface that is the non-encrypted variant of the > dedicated ipsec interface? (I route pakets into the tun interface > and they are encrypted and put out of the real dedicated interface, > and vice versa: if IPsec traffic come into the real interface, they > are decrypted and send thorugh the tunnel) > > -Guido > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message