Re: Consolidating KAME SPD rules and IPFW / IPfilter.

[itojun]

To which I can only say that in IPv4 world and VPN, NAT is almost
mandatory. For me, using NAT allows me to set up VPN specific 
routing for my special project within a corporate network without
bothering the network administrator with using FreeBSD instead of
their Cisco stuff for routing. FreeBSD/KAME needs NAT for allowing
it to being used in production environments today. NAT comes with
IPFW, which is where the circle closes.

as mentioned before, there was an discussion about one of the freebsd
mailing lists.  there was a proposed patch just like below
(the following patch works only for the latest KAME tree, not for
FreeBSD tree).
http://www.kame.net/dev/cvsweb.cgi/kame/freebsd4/sys/netinet/ip_input.c.diff?r1=1.16r2=1.17

the patch tries to do the following, i have no environment to test.
http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction

itojun

-
The IPv6 Users Mailing List
Unsubscribe by sending "unsubscribe users" to [EMAIL PROTECTED]

Re: Consolidating KAME SPD rules and IPFW / IPfilter.

[itojun]

I am tempted to "outsource" the IPsec functionality away from the
kernel using a demon on a divert socket, just like NATD. This would
be more modular and keeps the kernel from panicing because of bugs
in IPsec -- I did have embarrassing kernel crashes, just when I bragged
about FreeBSD running rock solid :0(.

checking - did you have kernel panics in kernel IPsec code (then pls
send-pr), or you are just talking about an example?

itojun

-
The IPv6 Users Mailing List
Unsubscribe by sending "unsubscribe users" to [EMAIL PROTECTED]