Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 19 Nov 2002 12:03:36 +0100
From:      Guido van Rooij <guido@gvr.org>
To:        Scott Ullrich <sullrich@CRE8.COM>
Cc:        'Archie Cobbs' <archie@dellroad.org>, "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, David Kelly <dkelly@hiwaay.net>, FreeBSD-stable@FreeBSD.ORG
Subject:   Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw?
Message-ID:  <20021119110336.GA12956@gvr.gvr.org>
In-Reply-To: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C35@exchange.corp.cre8.com>
References:  <2F6DCE1EFAB3BC418B5C324F13934C9601D23C35@exchange.corp.cre8.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Nov 17, 2002 at 05:44:38PM -0500, Scott Ullrich wrote:
> I have reverted back to revision 1.130.2.39 of ip_input.c and that solved my
> issues!
> 
> Guido, I am running IPFW2.  If there is anything you need from me to help
> fix this issue, please let me know.
> 

I am not convinced that anything needs to be fixed.
From reading the thread in -stable, I can not see what you are trying to do.

If you are using gif tunnels for ipsec, where the packets are sent into
a gif tunnel and then, using the encapsulated packets, are encrypted,
then indeed there is a change.
The change is that packets going into, and coming out of, the gif tunnel
are from now on filtered as well. And this is exactly what is to be expected.
So you'll need a rule on the physical interfase allwoing ESP/AH packets
and ISAKMP traffic, and on the gif interface you'll need rules for the
unencrypted content of the packets. 

If you have another setup, please explain how it is setup and I can
try to understand if anything is wrong.

-Guido

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021119110336.GA12956>