Jason Different problem space.
To filter on stuff coming out of an IPsec tunnel is not possible on FreeBSD until somebody ports the enc device over. On Thursday 30 March 2006 18:21, Jason J Ellingson wrote: > But, could the rules be applied to data being received from a tunnel? > > With mobile IPSec clients (ignoring PPTP as an option), there is no way to > control data received. You can only have filters on what goes into a > tunnel and not what is coming out. If this could be overcome, that'd be > great and I could move more people from PPTP to IPSec. > > - Jason > > -----Original Message----- > From: Peter Curran [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 30, 2006 8:53 AM > To: [email protected] > Subject: Re: [pfSense Support] Static routes over IPSec > > This problem is caused because IPsec tunnel mode creates 'implicit' > tunnels. > > These are not visible to the rest of the IP layer, because the decision to > tunnel the traffic is made after the packet has been forwarded. > > One easy solution is to create an 'explicit' tunnel, using something like > GRE, and then secure this using IPsec transport mode. I did have this > working fine on a hacked version of m0n0wall a year or so ago, and I > daresay that it could be implemented on pfsense. To be honest, I thought > it was (using gif > tunnels) as I am sure it appeared in an earlier release. > > >From a usage viewpoint you would just see a new optional interface that > > you > > could route stuff to (also apply firewall and traffic shaper rules). The > basic characteristics are the same (GRE has higher overheads, so the MTU > would be reduced a little. IP-in-IP using GIF is the same overhead as > IPsec tunnel mode). > > /Peter > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
