Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 4 Aug 2003 10:29:45 +0300
From:      Ari Suutari <ari.suutari@syncrontech.com>
To:        Christian Kratzer <ck@cksoft.de>, Christian Kratzer <ck-lists@cksoft.de>, Luigi Rizzo <luigi@FreeBSD.org>
Cc:        freebsd-ipfw@FreeBSD.org
Subject:   Re: kern/53624: patches for ipfw2 to support ipsec packet filtering
Message-ID:  <200308041029.45598.ari.suutari@syncrontech.com>
In-Reply-To: <20030710110751.L84774@majakka.cksoft.de>
References:  <200307070113.h671DPeG082710@freefall.freebsd.org> <20030706234624.A45394@xorpc.icir.org> <20030710110751.L84774@majakka.cksoft.de>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi,

On Thursday 10 July 2003 12:12, Christian Kratzer wrote:
> Hi,
>
> We applied the patch to a RELENG_4 system but can't seem to be able to
> catch packets based on them having ipsec history or not.
>
> We have "options IPSEC_FILTERGIF" and "options IPFW2" in our kernel config.
>
> We currently have an ipsec esp tunnel running between two locations without
> any gif tunnels.  IPSEC_FILTERGIF seems to be working fine as packets are
> now being filtered by our ipfw ruleset.
>
> We can't match any packets based on the ipsec or not ipsec flags in ipfw2.
>
> I just wanted to ask if somebody knows the obvious before I start digging
> my head in the code.

	I did my quick testing on 5.1-RELEASE system, but I cannot really 
	understand why the change wouldn't work on RELENG_4 also.
	It uses only one call which works on RELENG_4 (otherwise a system
	*without* IPSEC_FILTERGIF wouldn't work as expected).

	I have really tested with KAME ipsec. Are you using FAST_IPSEC ?

		Ari S.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?200308041029.45598.ari.suutari>