IPSEC/IPFILTER, was options FAST_IPSEC & tunnels

[Michael DeMan]

Hi,

I'm going to jump in here too.

We have an issue where we use IPSec tunneling to wireless clients.
Currently we associate two IP on the external interface, the public one and
then tunneled one.

We are however forced to use NATD instead of IPFILTER for NAT because
IPFILTER does its NAT work before IPSEC does its work which breaks the VPN.

I looked in the some of the code and saw where IPFILTER is processed before
NAT.  I am wondering if it would be possible to swap the locations of the
chunks of code and get the effect we want - IPSEC before IPFILTER.

Is this as easy as it seems or will there be other troubles?  I'm hoping
somebody is familiar with this so I can avoid hours of trial and error.

In the ideal world, I would like to be able to specify 'IPSEC before
IPFILTER' either in my kernel config or, even better, in rc.conf

- mike