From owner-freebsd-stable  Fri Oct 26  4:24: 8 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2])
	by hub.freebsd.org (Postfix) with ESMTP id DB39037B403
	for <stable@freebsd.org>; Fri, 26 Oct 2001 04:24:04 -0700 (PDT)
Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.33 #2)
	id 15x55q-0000Fk-00
	for stable@freebsd.org; Fri, 26 Oct 2001 13:24:06 +0200
Received: from shell.devco.net ([196.15.188.7])
	by mx1.dev.itouchnet.net with esmtp (Exim 3.33 #2)
	id 15x55p-0000FP-00; Fri, 26 Oct 2001 13:24:05 +0200
Received: from bvi by shell.devco.net with local (Exim 3.33 #4)
	id 15x55x-000Ckr-00; Fri, 26 Oct 2001 13:24:13 +0200
Date: Fri, 26 Oct 2001 13:24:13 +0200
From: Barry Irwin <bvi@itouchlabs.com>
To: Mike Harding <mvh@ix.netcom.com>
Cc: vita@fio.cz, stable@freebsd.org
Subject: Re: IPFW/IPSEC/NAT interaction issues with 4.4, Bug ???
Message-ID: <20011026132413.C36954@itouchlabs.com>
References: <XFMail.20011025140636.vita@fio.cz> <20011026021302.5EE59134D2@netcom1.netcom.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011026021302.5EE59134D2@netcom1.netcom.com>; from mvh@ix.netcom.com on Thu, Oct 25, 2001 at 07:13:02PM -0700
X-Checked: This message has been scanned for any virusses and unauthorized attachments.
X-iScan-ID: 972-1004095446-93891@mx1.dev.itouchnet.net version $Name:  $
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Thu 2001-10-25 (19:13), Mike Harding wrote:
> This is a feature - if you don't do this, you can't tell decapsulated
> traffic from raw traffic.  That was the old config.  If you have a
> router, you can filter on the inside interface.  I suggested inserting
> the traffic on a fake interface so you could do more interesting
> things like NAT, better filtering, etc, but some KAME folk seemed to
> get very upset about this, although I couldn't follow the reasoning...

This is rather nasty :< sort of shoot a hole in my reasoning to use BSD as a
VPN gateway,as this causes the tunneling to fail for all our required links,
the issue is that it DID work on 4.2 !

Anyone got a patch to work around this ?

Barry


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message