Date: Tue, 19 Nov 2002 12:03:36 +0100 From: Guido van Rooij <guido@gvr.org> To: Scott Ullrich <sullrich@CRE8.COM> Cc: 'Archie Cobbs' <archie@dellroad.org>, "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, David Kelly <dkelly@hiwaay.net>, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? Message-ID: <20021119110336.GA12956@gvr.gvr.org> In-Reply-To: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C35@exchange.corp.cre8.com> References: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C35@exchange.corp.cre8.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Nov 17, 2002 at 05:44:38PM -0500, Scott Ullrich wrote: > I have reverted back to revision 1.130.2.39 of ip_input.c and that solved my > issues! > > Guido, I am running IPFW2. If there is anything you need from me to help > fix this issue, please let me know. > I am not convinced that anything needs to be fixed. From reading the thread in -stable, I can not see what you are trying to do. If you are using gif tunnels for ipsec, where the packets are sent into a gif tunnel and then, using the encapsulated packets, are encrypted, then indeed there is a change. The change is that packets going into, and coming out of, the gif tunnel are from now on filtered as well. And this is exactly what is to be expected. So you'll need a rule on the physical interfase allwoing ESP/AH packets and ISAKMP traffic, and on the gif interface you'll need rules for the unencrypted content of the packets. If you have another setup, please explain how it is setup and I can try to understand if anything is wrong. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021119110336.GA12956>