Date: Tue, 1 Oct 2002 06:34:29 -0700 (PDT) From: Julian Elischer <julian@elischer.org> To: Guido van Rooij <guido@gvr.org> Cc: freebsd-net@freebsd.org Subject: Re: non-transparent IPsec via a tun interface? Message-ID: <Pine.BSF.4.21.0210010627350.84654-100000@InterJet.elischer.org> In-Reply-To: <20021001122130.GA14155@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I have done similar to this using teh GIF interface. Each tunnel between sites had a gif interface and I firewalled for only ESP packets to and from the correct machines on the external interface, and for correct packets for permitted protocols and ports on the unencrypted data on the gif interfaces. Since then I have stoped using th e Gif interfaces and have started tunnelling using mpd across a udp connection, which in turn is IPSEC encrypted. Instead of firewalling on the gif inerfaces I now do it on the ng interface. The reason for using mpd is to use multilink PPP for the tunnels. I have multiple unnels on differnt ISPS between sites so that if one ISP gets ill (which happens a bit), the connection suffers a bandwidth degradation but is still useable. On Tue, 1 Oct 2002, Guido van Rooij wrote: > I have a firewall system that has a dedicated interface on which nly > IPsec traffic is going out and comming in. The firewall > encrypts and decrypts these packets. > > I am using Ipfilter on that system and I would like to filter on > the unencrypted content, both incoming and outgoing. > > The problem is that on the "IPsec interface" I only see the encrypted > traffic. > > Is there a way to make IPsec be non-transparent? > > E.g: have a /dev/tun interface that is the non-encrypted variant of the > dedicated ipsec interface? (I route pakets into the tun interface > and they are encrypted and put out of the real dedicated interface, > and vice versa: if IPsec traffic come into the real interface, they > are decrypted and send thorugh the tunnel) > > -Guido > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0210010627350.84654-100000>