Date: Tue, 19 Nov 2002 22:46:31 -0600 From: David Kelly <dkelly@HiWAAY.net> To: Archie Cobbs <archie@dellroad.org>, Guido van Rooij <guido@gvr.org> Cc: Archie Cobbs <archie@dellroad.org>, Scott Ullrich <sullrich@CRE8.COM>, "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS Message-ID: <200211192246.31014.dkelly@HiWAAY.net> In-Reply-To: <200211200348.gAK3mhtT058983@arch20m.dellroad.org> References: <200211200348.gAK3mhtT058983@arch20m.dellroad.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 19 November 2002 09:48 pm, Archie Cobbs wrote: [...] > > Secondly, is the question of what to do about IPSec tunnel mode. > > I vote for creating a new pseudo-interface 'ipsec0'. This interface > will automatically get created and attached the first time a tunnel > mode IPSec packet is de-encapsulated and put back on ipintrq. Think the above is how I'm configured. Previously a de-encapsulated packet was invisible to ipfw unless it headed out an interface (as will happen when routing between private nets). Those which stopped at the tunnel host were only seen by ipfw in ESP form. Currently (with -stable) (groan, I smell a pun) the de-encapsulated packets are appearing to ipfw as if they came from the interface they entered when in ESP form. That's fxp1 for me, others reported fxp0. Mentioned earlier I think a single esp0 or ipsec0 interface would do nicely for my application but suspect if one had multiple routes to the same hosts/nets or did any form of load balancing over VPN tunnels that one interface might not be enough. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211192246.31014.dkelly>