From owner-freebsd-stable Thu Nov 21 8:52:40 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6D3437B401 for ; Thu, 21 Nov 2002 08:52:39 -0800 (PST) Received: from gvr.gvr.org (gvr.gvr.org [212.61.40.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CED943E88 for ; Thu, 21 Nov 2002 08:52:38 -0800 (PST) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id 3BEDB2A3; Thu, 21 Nov 2002 17:52:37 +0100 (CET) Date: Thu, 21 Nov 2002 17:52:37 +0100 From: Guido van Rooij To: David Kelly Cc: "Patrick M. Hausen" , Helge Oldach , archie@dellroad.org, sullrich@CRE8.COM, greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS Message-ID: <20021121165237.GB98848@gvr.gvr.org> References: <20021121145332.GA57883@grumpy.dyndns.org> <200211211504.gALF4Sej086710@hugo10.ka.punkt.de> <20021121153918.GA58136@grumpy.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021121153918.GA58136@grumpy.dyndns.org> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Nov 21, 2002 at 09:39:18AM -0600, David Kelly wrote: > > An esp0 or ipsec0 device would provide the handle ipfw needs. > That is excatly what I wanted to say earlier. But beware: this is only true in tunnel mode. In transport mode, the KAME stack calls the subprotocol handler directly and, unless you set up your ipsec such that the decrypted packets actually are tunneled packets using a gif interface, you will never be able to catch the packets with a packet filter! -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message