Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 10 Jul 2003 11:12:49 +0200 (CEST)
From:      Christian Kratzer <ck-lists@cksoft.de>
To:        Luigi Rizzo <luigi@FreeBSD.org>
Cc:        ari.suutari@syncrontech.com
Subject:   Re: kern/53624: patches for ipfw2 to support ipsec packet filtering
Message-ID:  <20030710110751.L84774@majakka.cksoft.de>
In-Reply-To: <20030706234624.A45394@xorpc.icir.org>
References:  <200307070113.h671DPeG082710@freefall.freebsd.org> <3F08DABB.2020509@tenebras.com> <20030706234624.A45394@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi,

On Sun, 6 Jul 2003, Luigi Rizzo wrote:

> On Sun, Jul 06, 2003 at 07:28:11PM -0700, Michael Sierchio wrote:
> > Luigi Rizzo wrote:
> > > Synopsis: patches for ipfw2 to support ipsec packet filtering
> > >
> > > State-Changed-From-To: open->closed
> > > State-Changed-By: luigi
> > > State-Changed-When: Sun Jul 6 18:13:14 PDT 2003
> > > State-Changed-Why:
> > > committed, thanks
> >
> >
> > Question: How does this interact with Sam Leffler's FAST_IPSEC ?
>
> i believe it works in the way you mention.
>
> 	luigi
>
> > That is, may we instead of
> >
> > 	options IPFIREWALL
> > 	options IPSEC
> > 	options IPSEC_ESP
> > 	options IPSEC_FILTERGIF
> >
> > do this
> > 	options IPFIREWALL
> > 	options FAST_IPSEC
> > 	options IPSEC_FILTERGIF

We applied the patch to a RELENG_4 system but can't seem to be able to
catch packets based on them having ipsec history or not.

We have "options IPSEC_FILTERGIF" and "options IPFW2" in our kernel config.

We currently have an ipsec esp tunnel running between two locations without
any gif tunnels.  IPSEC_FILTERGIF seems to be working fine as packets are
now being filtered by our ipfw ruleset.

We can't match any packets based on the ipsec or not ipsec flags in ipfw2.

I just wanted to ask if somebody knows the obvious before I start digging
my head in the code.

Greetings
Christian

-- 
CK Software GmbH
Christian Kratzer,         Schwarzwaldstr. 31, 71131 Jettingen
Email: ck@cksoft.de
Phone: +49 7452 889-135    Open Software Solutions, Network Security
Fax:   +49 7452 889-136    FreeBSD spoken here!

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030710110751.L84774>