Hi,
I read them. But I think that the final solution cannot be
'well we will have a hole like this always since it cannot be fixed'.
I wasn't saying that I want a network interface device like 'tun',
I just wanted something similar that could be used with
ipfw to more accurately specify filters.
why couldn't we have something like:
(imagine that a new option -n has been addded to setkey's spdadd)
setkey -c << ZZZ
spdadd xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy any -n my-tunnel-1 -P in ipsec
esp/tunnel/aaa-bbb/requre;
ZZZ
and then
(imagine that new keyword via-ipsec-tunnel has been added to ipfw)
ipfw pass ip from any to any via-ipsec-tunnel my-tunnel-1
I think that this would just be, well, GREAT!
It would allow very easy creation of VPNs with simple rules
and without any holes.
Ari S.
----- Original Message -----
From: "Cy Schubert - ITSD Open Systems Group" <[EMAIL PROTECTED]>
To: "Ari Suutari" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: 16. joulukuuta 2000 13:24
Subject: Re: IPFW & IPsec tunnel mode
> In message <001301c0601e$34cab880$[EMAIL PROTECTED]>,
> "Ari Suut
> ari" writes:
> > However, pipsecd only supports fixed keys and Kame seems more
> > like the future way to go. Would it be possible to enhance ipfw & kame
> > to work together better in same way (like having some kind of name for
> > each tunnel and allowing ipfw rule to use them in similar way as
> > 'via' is used with interfaces) ?
>
> Check the -security archives. This was just discussed about a month
> ago. In that thread a KAME developer explained why it cannot be
> accomplished.
>
>
> Regards, Phone: (250)387-8437
> Cy Schubert Fax: (250)387-5766
> Team Leader, Sun/Alpha Team Internet: [EMAIL PROTECTED]
> Open Systems Group, ITSD, ISTA
> Province of BC
>
>
>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
