Date: Tue, 1 Apr 2003 14:32:38 -0800 From: "Sam Leffler" <sam@errno.com> To: "Lars Eggert" <larse@ISI.EDU> Cc: Mailing List FreeBSD Network <freebsd-net@freebsd.org> Subject: Re: options FAST_IPSEC & tunnels Message-ID: <075f01c2f89e$99dffdf0$52557f42@errno.com> References: <86pto6mbxj.fsf@notbsdems.interne.kisoft-services.com><05b901c2f881$67e907f0$52557f42@errno.com> <3E8A1122.5040304@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 4/1/2003 11:03 AM, Sam Leffler wrote:
> >
> > Long term, I intend is to associate packets with an enc device so
> > there's a way to identify these packets when writing firewall rules.
>
> Alternatively (and already working), you can replace IPsec tunnel mode
> with IPIP (gif) tunnels and transport mode, and then use the gif device
> in your firewall rules.
>
> It doesn't give you the full expressiveness of IPsec selectors, but it's
> good enough for many VPN schemes (and routing works!)
Yes, but for folks that want to use fast ipsec as a plug-compatible
replacement for KAME having an equivalent facility is important.
I'm actually more interested in the ability to monitor traffic post-IPSEC
processing (e.g. with tcpdump). But as I said privately to another person,
I haven't decided exactly how to deal with this issue yet. I watched all
the discussion on this and other mailing lists and when I have time I'll
deal with it. Someone with time now is free to work on it...
Sam
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?075f01c2f89e$99dffdf0$52557f42>