Date: Tue, 5 Aug 2003 14:56:11 +0300 From: Ari Suutari <ari.suutari@syncrontech.com> To: Christian Kratzer <ck@cksoft.de>, Christian Kratzer <ck-lists@cksoft.de>, Luigi Rizzo <luigi@FreeBSD.org> Cc: freebsd-ipfw@FreeBSD.org Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering Message-ID: <200308051456.11854.ari.suutari@syncrontech.com> In-Reply-To: <20030805125910.Y22923@majakka.cksoft.de> References: <200307070113.h671DPeG082710@freefall.freebsd.org> <20030805034145.B49439@xorpc.icir.org> <20030805125910.Y22923@majakka.cksoft.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Tuesday 05 August 2003 14:22, Christian Kratzer wrote: > > Case1 (this is working) > ----------------------- > This is working fine with Good. > Case2: > ------ > > The problem with this seemed to be that outgoing packets would pass through > the divert rules before having ipsec applied if originating from the local > host. Also returning packets did not alway get tagged early enough. > Since the packets pass through ipfw both encrypted and unencrypted, I think the flow is something like: outgoing packets: ipfw -> natd(does NAT) -> ipfw -> ipsec (encrypts) -> ipfw -> natd(DOES nothing) -> ipfw -> network incoming packets: network -> ipfw -> natd(does nothing) -> ipfw -> ipsec(decrypts) -> ipfw -> natd(does NAT) -> ipfw -> to rest of network stack This is how I *think* it works. I'm not very, very sure. I have one test box running which does nat before ipsec tunnel and it works correctly. Ari S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308051456.11854.ari.suutari>