From owner-freebsd-stable Tue Nov 19 20:48:35 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0BC437B401 for ; Tue, 19 Nov 2002 20:48:33 -0800 (PST) Received: from grumpy.dyndns.org (user-24-214-34-52.knology.net [24.214.34.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id C8BCC43E3B for ; Tue, 19 Nov 2002 20:48:32 -0800 (PST) (envelope-from dkelly@grumpy.dyndns.org) Received: from grumpy.dyndns.org (localhost [127.0.0.1]) by grumpy.dyndns.org (8.12.6/8.12.6) with ESMTP id gAK4kVgx066645; Tue, 19 Nov 2002 22:46:31 -0600 (CST) (envelope-from dkelly@grumpy.dyndns.org) Received: (from dkelly@localhost) by grumpy.dyndns.org (8.12.6/8.12.6/Submit) id gAK4kVig066644; Tue, 19 Nov 2002 22:46:31 -0600 (CST) Content-Type: text/plain; charset="us-ascii" From: David Kelly To: Archie Cobbs , Guido van Rooij Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS Date: Tue, 19 Nov 2002 22:46:31 -0600 User-Agent: KMail/1.4.3 Cc: Archie Cobbs , Scott Ullrich , "'greg.panula@dolaninformation.com'" , FreeBSD-stable@FreeBSD.ORG References: <200211200348.gAK3mhtT058983@arch20m.dellroad.org> In-Reply-To: <200211200348.gAK3mhtT058983@arch20m.dellroad.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200211192246.31014.dkelly@HiWAAY.net> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tuesday 19 November 2002 09:48 pm, Archie Cobbs wrote: [...] > > Secondly, is the question of what to do about IPSec tunnel mode. > > I vote for creating a new pseudo-interface 'ipsec0'. This interface > will automatically get created and attached the first time a tunnel > mode IPSec packet is de-encapsulated and put back on ipintrq. Think the above is how I'm configured. Previously a de-encapsulated packet was invisible to ipfw unless it headed out an interface (as will happen when routing between private nets). Those which stopped at the tunnel host were only seen by ipfw in ESP form. Currently (with -stable) (groan, I smell a pun) the de-encapsulated packets are appearing to ipfw as if they came from the interface they entered when in ESP form. That's fxp1 for me, others reported fxp0. Mentioned earlier I think a single esp0 or ipsec0 interface would do nicely for my application but suspect if one had multiple routes to the same hosts/nets or did any form of load balancing over VPN tunnels that one interface might not be enough. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message