(snip) > You could use the draft-touch-ipsec-vpn-04.txt together with ipfw rules, > but then you say you don't want to look at IP addresses...
I'm happy to look at outside addresses, just not the ones on the inside. I would also consider matching up endpoint (VPN gateway or "outside") address and SPI to know which SA a packet is arriving on, for the inbound-through-tunnel direction, and then use the vlan interface name to help select the departing tunnel, if possible. > So no, I don't see how it can be done under your constraints. Well, not perhaps without some nethacks in the kernel. I've certainly done that before, but would prefer something more vanilla. Thanks, -Les -- Les Biffle (480) 585-4099 [EMAIL PROTECTED] http://www.les.safety.net/ Network Safety Corp., 5831 E. Dynamite Blvd., Cave Creek, AZ 85331 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
