On Tue, Nov 19, 2002 at 10:11:29AM -0600, David Kelly wrote: > > Once the ipsec history is removed from the packet then how/what/where is > the packet tagged as having come from? In my case it appears to have
It is tagged as any other packet. > retained properties of the ESP packet it was encased within. Don't > really know as I don't have multiple interfaces with ESP packets. The > system is in production so I can't casually swap interfaces to verify. > > At some point since early October when this system was previously > updated these IPsec packets started appearing on the wrong interface in > ipfw. Currently only one end of my link is updated, the other end is > running with the same configuration it has used for the past 9 months. > With configured (but apparently unused) gif and everything. What do you mean with wrong interface? What I did was remove the ipsec history check in ip_input(). What happens in you case is that ip packet come in, are fed into ipfw, then they are decrypted in esp_input() and then fed into the ip subprotocol directly from esp_input(). The code I removed only appears in the first call to ip_input(), but the code would not have any effect in that case. The only way that this removal could have an effect is when esp_input() called xxx_input() which in turn calls ip_input() again. Since you are not using a tunneling device, this does not happen. -Guido To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
