On 7/26/06, Gustavo Rios <[EMAIL PROTECTED]> wrote:
# Pass encrypted traffic to/from security gateways pass in proto esp from $GATEWAY_B to $GATEWAY_A pass out proto esp from $GATEWAY_A to $GATEWAY_BIn the last two line above, if i wanted to specify the interface, which of enc0 or $ext_if, should i use?
$ext_if, given the following rationale: Your external interface will see the packets with ESP payload coming from / going to the other gateway(s). Inbound, these packets require processing; outbound, they are the result of processing. Your external interface cannot - unless you do *very* unwise things - see the internals of those packets; that's what your enc(4) interfaces can help you with.
From enc(4):
"The enc interface allows an administrator to see outgoing packets before they have been processed by ipsec(4), or incoming packets after they have been similarly processed, via tcpdump(8)." Cheers, Rogier -- If you don't know where you're going, any road will get you there.
