Date: Fri, 21 Sep 2001 12:16:45 +0200 From: Sameh Ghane <sw@anthologeek.net> To: freebsd-net@FreeBSD.ORG Subject: Re: ipfilter and IPSec processing order Message-ID: <20010921121645.K77863@anthologeek.net> In-Reply-To: <200109210857.f8L8v0R34477@hak.lan.Awfulhak.org>; from brian@freebsd-services.com on Fri, Sep 21, 2001 at 09:56:58AM %2B0100 References: <sw@anthologeek.net> <200109210857.f8L8v0R34477@hak.lan.Awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Le (On) Fri, Sep 21, 2001 at 09:56:58AM +0100, Brian Somers ecrivit (wrote): > Hi, > > I can't answer your question specifically as I've never used > ipfilter, but it's certainly possible to use natd at the same time as > IPSEC... the vital thing is to ensure that no traffic is altered by > both engines. Hum, do you use ipfw with filtering rules ? If so, what is the processing order between ipfw and ipsec ? > Using a gif tunnel (which you are already) and encrypting only ipencap > traffic in your spdadd/transport policy should mean that the nat > engine either sees regular traffic (that should be NATd) or ipencap > traffic (which shouldn't be NATd, and won't as the src address is the > gateway address). > > So the bit you may be missing is the ``ip4'' bit in the setkey spdadd > line.... Okay, I patched /usr/src/usr.sbin/setkey and /usr/include/net/pfkeyv2.h, and now only encapsulated traffic is encrypted/decrypted. Unfortunately, I still have ipf catching twice the IPsec packets (once encapsulated, once decapsulated). Grrr. Still trying to get rid of this. Cheers, -- Sameh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010921121645.K77863>