Date: Tue, 26 Nov 2002 11:04:00 +0100 From: Eric Masson <e-masson@kisoft-services.com> To: Ari Suutari <ari.suutari@syncrontech.com> Cc: greg.panula@dolaninformation.com, David Kelly <dkelly@HiWAAY.net>, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? Message-ID: <86n0nwr6jz.fsf@notbsdems.nantes.kisoft-services.com> In-Reply-To: <200211260837.02019.ari.suutari@syncrontech.com> (Ari Suutari's message of "Tue, 26 Nov 2002 08:37:02 %2B0200") References: <200211142157.57459.dkelly@HiWAAY.net> <200211180854.29349.ari.suutari@syncrontech.com> <86n0nxsiko.fsf@notbsdems.nantes.kisoft-services.com> <200211260837.02019.ari.suutari@syncrontech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Ari" == Ari Suutari <ari.suutari@syncrontech.com> writes: Ari> My problem with the previous solution was that I wasn't able to Ari> completely filter traffic flowing from ipsec tunnel because Ari> detunneled packets arriving to local node were never passed to Ari> ipfw. Ok, this is a real flaw, but I was living with it :) Ari> Maybe the solution would be to start using gif devides and ipsec Ari> transport mode, which would make it possible to filter encrypted Ari> and unencrypted packets separately. Yes, gifs + ipsec transport would be one solution (with the side effect of explicit routing tables), but what about an esp interface (or whatever name) on which detunneled packets would pass. Eric Masson -- Etant nouveau, certains termes m'échappent encore. Mail Bombing ! Kesako ? Comment on pose la bombe ? et comment on règle le minuteur ? Quelle est la portée du missile ? -+-TIB in <http://www.le-gnu.net>; : Bien configurer son kernel -+- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86n0nwr6jz.fsf>