Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 5 Aug 2003 14:56:11 +0300
From:      Ari Suutari <ari.suutari@syncrontech.com>
To:        Christian Kratzer <ck@cksoft.de>, Christian Kratzer <ck-lists@cksoft.de>, Luigi Rizzo <luigi@FreeBSD.org>
Cc:        freebsd-ipfw@FreeBSD.org
Subject:   Re: kern/53624: patches for ipfw2 to support ipsec packet filtering
Message-ID:  <200308051456.11854.ari.suutari@syncrontech.com>
In-Reply-To: <20030805125910.Y22923@majakka.cksoft.de>
References:  <200307070113.h671DPeG082710@freefall.freebsd.org> <20030805034145.B49439@xorpc.icir.org> <20030805125910.Y22923@majakka.cksoft.de>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi,

On Tuesday 05 August 2003 14:22, Christian Kratzer wrote:
>
> Case1 (this is working)
> -----------------------
> This is working fine with

	Good.

> Case2:
> ------
>
> The problem with this seemed to be that outgoing packets would pass through
> the divert rules before having ipsec applied if originating from the local
> host. Also returning packets did not alway get tagged early enough.
>

	Since the packets pass through ipfw both encrypted and unencrypted,
	I think the flow is something like:

	outgoing packets:

	ipfw 	-> natd(does NAT) 
		-> ipfw 
		-> ipsec (encrypts)
		-> ipfw 
		-> natd(DOES nothing) 
		-> ipfw
		-> network

	incoming packets:

	network	-> ipfw
			-> natd(does nothing)
			-> ipfw
			-> ipsec(decrypts)
			-> ipfw
			-> natd(does NAT)
			-> ipfw
			-> to rest of network stack

	This is how I *think* it works. I'm not very, very
	sure. I have one test box running which does
	nat before ipsec tunnel and it works correctly.

		Ari S.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308051456.11854.ari.suutari>