Date: Thu, 10 Jul 2003 11:12:49 +0200 (CEST) From: Christian Kratzer <ck-lists@cksoft.de> To: Luigi Rizzo <luigi@FreeBSD.org> Cc: ari.suutari@syncrontech.com Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering Message-ID: <20030710110751.L84774@majakka.cksoft.de> In-Reply-To: <20030706234624.A45394@xorpc.icir.org> References: <200307070113.h671DPeG082710@freefall.freebsd.org> <3F08DABB.2020509@tenebras.com> <20030706234624.A45394@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Sun, 6 Jul 2003, Luigi Rizzo wrote: > On Sun, Jul 06, 2003 at 07:28:11PM -0700, Michael Sierchio wrote: > > Luigi Rizzo wrote: > > > Synopsis: patches for ipfw2 to support ipsec packet filtering > > > > > > State-Changed-From-To: open->closed > > > State-Changed-By: luigi > > > State-Changed-When: Sun Jul 6 18:13:14 PDT 2003 > > > State-Changed-Why: > > > committed, thanks > > > > > > Question: How does this interact with Sam Leffler's FAST_IPSEC ? > > i believe it works in the way you mention. > > luigi > > > That is, may we instead of > > > > options IPFIREWALL > > options IPSEC > > options IPSEC_ESP > > options IPSEC_FILTERGIF > > > > do this > > options IPFIREWALL > > options FAST_IPSEC > > options IPSEC_FILTERGIF We applied the patch to a RELENG_4 system but can't seem to be able to catch packets based on them having ipsec history or not. We have "options IPSEC_FILTERGIF" and "options IPFW2" in our kernel config. We currently have an ipsec esp tunnel running between two locations without any gif tunnels. IPSEC_FILTERGIF seems to be working fine as packets are now being filtered by our ipfw ruleset. We can't match any packets based on the ipsec or not ipsec flags in ipfw2. I just wanted to ask if somebody knows the obvious before I start digging my head in the code. Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Open Software Solutions, Network Security Fax: +49 7452 889-136 FreeBSD spoken here!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030710110751.L84774>