kern/53624: patches for ipfw2 to support ipsec packet filtering
Ari Suutari
ari.suutari at syncrontech.com
Tue Aug 5 04:56:23 PDT 2003
Hi,
On Tuesday 05 August 2003 14:22, Christian Kratzer wrote:
>
> Case1 (this is working)
> -----------------------
> This is working fine with
Good.
> Case2:
> ------
>
> The problem with this seemed to be that outgoing packets would pass through
> the divert rules before having ipsec applied if originating from the local
> host. Also returning packets did not alway get tagged early enough.
>
Since the packets pass through ipfw both encrypted and unencrypted,
I think the flow is something like:
outgoing packets:
ipfw -> natd(does NAT)
-> ipfw
-> ipsec (encrypts)
-> ipfw
-> natd(DOES nothing)
-> ipfw
-> network
incoming packets:
network -> ipfw
-> natd(does nothing)
-> ipfw
-> ipsec(decrypts)
-> ipfw
-> natd(does NAT)
-> ipfw
-> to rest of network stack
This is how I *think* it works. I'm not very, very
sure. I have one test box running which does
nat before ipsec tunnel and it works correctly.
Ari S.
More information about the freebsd-ipfw
mailing list