Date: Tue, 19 Nov 2002 21:23:13 +0100 From: Guido van Rooij <guido@gvr.org> To: Scott Ullrich <sullrich@CRE8.COM> Cc: David Kelly <dkelly@hiwaay.net>, 'Archie Cobbs' <archie@dellroad.org>, "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec packets seen on wrong interface by ipfw (was Re: IPsec/ gif VPN tunnel packets on wrong NIC in ipfw?) Message-ID: <20021119202313.GA44347@gvr.gvr.org> In-Reply-To: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C62@exchange.corp.cre8.com> References: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C62@exchange.corp.cre8.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 19, 2002 at 03:15:53PM -0500, Scott Ullrich wrote: > Thanks for everyone's help with this. My problem was that I was using > tunnel instead of transport mode. > > Thanks again to Archie and Guido for their help with this! You're welcome. I still have to think what is best to do in tunnel mode. I think having either esp0 as a catch all device, or having a pseudo-interface per physical interface (e.g. fxp_esp<n> for fxp<n>) is the solution, where I'd vote for the second one. Reason for that vote: i you only can filter on esp0 you cant retrieve the original interface and you might end up having to allow spoofed packets in. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021119202313.GA44347>