-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Guillaume L�croart wrote: > Hi, > > The problem here is how to identify the IPSec traffic. I implemented > this long ago, where IPSec traffic would come out of a "ipsecxxx" > interface, which was really easy for adding a '-i ipsecxxx' iptable rule. > In the newer implementation of FreeSWan/OpenSWan, this behaviour has > changed, since the IPSec traffic is still reported as coming form the > physiscal interface. I found out that I could use the "policy matching" > netfilter module, but this is not included in 2.4.27-2 (and possibly > not in 2.6.10, since I couldn't find any ipt_policy.ko in > /lib/modules/2.6.10-1-686). > > Is there another way of matching the IPSec traffic? > Have I no other solution than building a custom kernel? >
I know that the latest openswan has new support for KLIPS (ipsecx interfaces)on 2.6, but that would involve rebuilding the kernel or waiting until sarge includes it. And it's marked as experimental. I've found a couple of docs describing how to set iptables up for your scenario using --mark. http://www.jasons.org/howto/118/ http://www.cornelius.demon.co.uk/IPSEC-FW.html hth - -- /phil -----BEGIN PGP SIGNATURE----- Comment: Public Key: http://www.dyermaker.org/gpgkey.asc iD8DBQFB/4jR0q9tKssDeQcRAuVDAJ411WzkEbcZQzRlxAG/C2AeHYAHLACgptYp aA5Fg9IVf8GMgECKRnKAs68= =Iiot -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
