Date: Thu, 21 Nov 2002 17:52:37 +0100 From: Guido van Rooij <guido@gvr.org> To: David Kelly <dkelly@hiwaay.net> Cc: "Patrick M. Hausen" <hausen@punkt.de>, Helge Oldach <freebsd-stable-21nov02@oldach.net>, archie@dellroad.org, sullrich@CRE8.COM, greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS Message-ID: <20021121165237.GB98848@gvr.gvr.org> In-Reply-To: <20021121153918.GA58136@grumpy.dyndns.org> References: <20021121145332.GA57883@grumpy.dyndns.org> <200211211504.gALF4Sej086710@hugo10.ka.punkt.de> <20021121153918.GA58136@grumpy.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 21, 2002 at 09:39:18AM -0600, David Kelly wrote: > > An esp0 or ipsec0 device would provide the handle ipfw needs. > That is excatly what I wanted to say earlier. But beware: this is only true in tunnel mode. In transport mode, the KAME stack calls the subprotocol handler directly and, unless you set up your ipsec such that the decrypted packets actually are tunneled packets using a gif interface, you will never be able to catch the packets with a packet filter! -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021121165237.GB98848>