From owner-freebsd-stable  Tue Nov 19 12:23:18 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A3BF637B401
	for <FreeBSD-stable@FreeBSD.ORG>; Tue, 19 Nov 2002 12:23:16 -0800 (PST)
Received: from gvr.gvr.org (gvr.gvr.org [212.61.40.17])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9A67743E42
	for <FreeBSD-stable@FreeBSD.ORG>; Tue, 19 Nov 2002 12:23:15 -0800 (PST)
	(envelope-from guido@gvr.org)
Received: by gvr.gvr.org (Postfix, from userid 657)
	id 89EBD29C; Tue, 19 Nov 2002 21:23:13 +0100 (CET)
Date: Tue, 19 Nov 2002 21:23:13 +0100
From: Guido van Rooij <guido@gvr.org>
To: Scott Ullrich <sullrich@CRE8.COM>
Cc: David Kelly <dkelly@hiwaay.net>,
	'Archie Cobbs' <archie@dellroad.org>,
	"'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>,
	FreeBSD-stable@FreeBSD.ORG
Subject: Re: IPsec packets seen on wrong interface by ipfw (was Re: IPsec/ gif VPN tunnel packets on wrong NIC in ipfw?)
Message-ID: <20021119202313.GA44347@gvr.gvr.org>
References: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C62@exchange.corp.cre8.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C62@exchange.corp.cre8.com>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Tue, Nov 19, 2002 at 03:15:53PM -0500, Scott Ullrich wrote:
> Thanks for everyone's help with this.  My problem was that I was using
> tunnel instead of transport mode.
> 
> Thanks again to Archie and Guido for their help with this!

You're welcome. I still have to think what is best to do in tunnel mode.

I think having either esp0 as a catch all device, or having a pseudo-interface
per physical interface (e.g. fxp_esp<n> for fxp<n>) is the solution, where
I'd vote for the second one. Reason for that vote: i you only can
filter on esp0 you cant retrieve the original interface and you
might end up having to allow spoofed packets in.

-Guido

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message