From owner-freebsd-net@FreeBSD.ORG Tue Apr 1 14:32:40 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E35737B401 for ; Tue, 1 Apr 2003 14:32:40 -0800 (PST) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7DD1743F85 for ; Tue, 1 Apr 2003 14:32:39 -0800 (PST) (envelope-from sam@errno.com) Received: from melange (melange.errno.com [66.127.85.82]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.9) with ESMTP id h31MWcWJ049993 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Tue, 1 Apr 2003 14:32:38 -0800 (PST) (envelope-from sam@errno.com) Message-ID: <075f01c2f89e$99dffdf0$52557f42@errno.com> From: "Sam Leffler" To: "Lars Eggert" References: <86pto6mbxj.fsf@notbsdems.interne.kisoft-services.com><05b901c2f881$67e907f0$52557f42@errno.com> <3E8A1122.5040304@isi.edu> Date: Tue, 1 Apr 2003 14:32:38 -0800 Organization: Errno Consulting MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4920.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 cc: Mailing List FreeBSD Network Subject: Re: options FAST_IPSEC & tunnels X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2003 22:32:40 -0000 > On 4/1/2003 11:03 AM, Sam Leffler wrote: > > > > Long term, I intend is to associate packets with an enc device so > > there's a way to identify these packets when writing firewall rules. > > Alternatively (and already working), you can replace IPsec tunnel mode > with IPIP (gif) tunnels and transport mode, and then use the gif device > in your firewall rules. > > It doesn't give you the full expressiveness of IPsec selectors, but it's > good enough for many VPN schemes (and routing works!) Yes, but for folks that want to use fast ipsec as a plug-compatible replacement for KAME having an equivalent facility is important. I'm actually more interested in the ability to monitor traffic post-IPSEC processing (e.g. with tcpdump). But as I said privately to another person, I haven't decided exactly how to deal with this issue yet. I watched all the discussion on this and other mailing lists and when I have time I'll deal with it. Someone with time now is free to work on it... Sam