Date: Wed, 02 Apr 2003 08:35:38 -0800 From: Michael DeMan <michael@staff.openaccess.org> To: <freebsd-net@freebsd.org> Subject: IPSEC/IPFILTER, was options FAST_IPSEC & tunnels Message-ID: <BAB0515A.30A39%michael@staff.openaccess.org> In-Reply-To: <BAB050EF.30A37%michael@staff.openaccess.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I'm going to jump in here too. We have an issue where we use IPSec tunneling to wireless clients. Currently we associate two IP on the external interface, the public one and then tunneled one. We are however forced to use NATD instead of IPFILTER for NAT because IPFILTER does its NAT work before IPSEC does its work which breaks the VPN. I looked in the some of the code and saw where IPFILTER is processed before NAT. I am wondering if it would be possible to swap the locations of the chunks of code and get the effect we want - IPSEC before IPFILTER. Is this as easy as it seems or will there be other troubles? I'm hoping somebody is familiar with this so I can avoid hours of trial and error. In the ideal world, I would like to be able to specify 'IPSEC before IPFILTER' either in my kernel config or, even better, in rc.conf - mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BAB0515A.30A39%michael>