Le (On) Fri, Sep 21, 2001 at 09:56:58AM +0100, Brian Somers ecrivit (wrote):
> Hi,
>
> I can't answer your question specifically as I've never used
> ipfilter, but it's certainly possible to use natd at the same time as
> IPSEC... the vital thing is to ensure that no traffic is altered by
> both engines.
Hum, do you use ipfw with filtering rules ? If so, what is the processing order
between ipfw and ipsec ?
> Using a gif tunnel (which you are already) and encrypting only ipencap
> traffic in your spdadd/transport policy should mean that the nat
> engine either sees regular traffic (that should be NATd) or ipencap
> traffic (which shouldn't be NATd, and won't as the src address is the
> gateway address).
>
> So the bit you may be missing is the ``ip4'' bit in the setkey spdadd
> line....
Okay, I patched /usr/src/usr.sbin/setkey and /usr/include/net/pfkeyv2.h, and now
only encapsulated traffic is encrypted/decrypted.
Unfortunately, I still have ipf catching twice the IPsec packets (once
encapsulated, once decapsulated).
Grrr. Still trying to get rid of this.
Cheers,
--
Sameh
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
