From owner-freebsd-net@FreeBSD.ORG  Mon Mar 13 13:18:14 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A7D1F16A420
	for <freebsd-net@freebsd.org>; Mon, 13 Mar 2006 13:18:14 +0000 (UTC)
	(envelope-from vanhu@zeninc.net)
Received: from leia.fdn.fr (ns0.fdn.org [80.67.169.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 206F443D55
	for <freebsd-net@freebsd.org>; Mon, 13 Mar 2006 13:18:12 +0000 (GMT)
	(envelope-from vanhu@zeninc.net)
Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25])
	by leia.fdn.fr (8.13.3/8.13.3/FDN) with ESMTP id k2DDIABj007325
	for <freebsd-net@freebsd.org>; Mon, 13 Mar 2006 14:18:11 +0100
Received: by smtp.zeninc.net (smtpd, from userid 1000)
	id 0BB4F3F17; Mon, 13 Mar 2006 14:18:05 +0100 (CET)
Date: Mon, 13 Mar 2006 14:18:05 +0100
From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
To: freebsd-net@freebsd.org
Message-ID: <20060313131804.GA23258@zen.inc>
References: <44156D6C.7050605@servicefactory.se>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <44156D6C.7050605@servicefactory.se>
User-Agent: All mail clients suck. This one just sucks less.
Subject: Re: IPSec and packet filtering in FreeBSD 6.0
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2006 13:18:14 -0000

On Mon, Mar 13, 2006 at 02:02:36PM +0100, Jonas Bülow wrote:
> Hi,

Hi.


[....]
> Running tcpdump on the physical interface towards A, I see the
> encapsulated traffic. Using ipfilter's log option I can see the
> encapsulated traffic and the decapsulated *incoming* traffic. Outgoing
> traffic, to be encapsulated by IPSec/tunnel, is not seen. As a
> consequence it is only possible to filter decapsulated incoming
> traffic.

I have a patch to add some kind of OpenBSD's enc0 interface to filter
incoming IPSec traffic, and to be able to do some tcpdumps for both
incoming/outgoing IPSec traffic.

I still have to do some minor cleanups on it before sending the PR, it
should be done during this week.


[....]
> I've read someware on this list IPSec should be on the pfil
> interface. Is someone working in that direction? Is there any other
> plan on chaning the integration of IPSec in FreeBSD?

Where did you read this ?



Yvan.

-- 
NETASQ - Secure Internet Connectivity
http://www.netasq.com