From owner-freebsd-net@FreeBSD.ORG  Wed Apr  2 08:35:39 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4AA7737B401
	for <freebsd-net@freebsd.org>; Wed,  2 Apr 2003 08:35:39 -0800 (PST)
Received: from yama.openaccess.org (ns1.openaccess.org [216.57.214.17])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BD81E43FBF
	for <freebsd-net@freebsd.org>; Wed,  2 Apr 2003 08:35:38 -0800 (PST)
	(envelope-from michael@staff.openaccess.org)
Received: from [192.168.1.2] (mfdAP.bcs.openaccess.org [216.57.214.35])
	by yama.openaccess.org (8.12.3/8.11.6) with ESMTP id h32GG68a086911
	for <freebsd-net@freebsd.org>; Wed, 2 Apr 2003 08:16:07 -0800 (PST)
	(envelope-from michael@staff.openaccess.org)
User-Agent: Microsoft-Entourage/10.0.0.1309
Date: Wed, 02 Apr 2003 08:35:38 -0800
From: Michael DeMan <michael@staff.openaccess.org>
To: <freebsd-net@freebsd.org>
Message-ID: <BAB0515A.30A39%michael@staff.openaccess.org>
In-Reply-To: <BAB050EF.30A37%michael@staff.openaccess.org>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Subject: IPSEC/IPFILTER, was options FAST_IPSEC & tunnels
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2003 16:35:39 -0000

Hi,

I'm going to jump in here too.

We have an issue where we use IPSec tunneling to wireless clients.
Currently we associate two IP on the external interface, the public one and
then tunneled one.

We are however forced to use NATD instead of IPFILTER for NAT because
IPFILTER does its NAT work before IPSEC does its work which breaks the VPN.

I looked in the some of the code and saw where IPFILTER is processed before
NAT.  I am wondering if it would be possible to swap the locations of the
chunks of code and get the effect we want - IPSEC before IPFILTER.

Is this as easy as it seems or will there be other troubles?  I'm hoping
somebody is familiar with this so I can avoid hours of trial and error.

In the ideal world, I would like to be able to specify 'IPSEC before
IPFILTER' either in my kernel config or, even better, in rc.conf

- mike