Long term, I intend is to associate packets with an enc device so there's a way to identify these packets when writing firewall rules.
Alternatively (and already working), you can replace IPsec tunnel mode with IPIP (gif) tunnels and transport mode, and then use the gif device in your firewall rules.
It doesn't give you the full expressiveness of IPsec selectors, but it's good enough for many VPN schemes (and routing works!)
(See ftp://ftp.rfc-editor.org/internet-drafts/draft-touch-ipsec-vpn-04.txt; I have the -05 update almost ready, which will then go to Informational.)
Lars -- Lars Eggert <[EMAIL PROTECTED]> USC Information Sciences Institute
smime.p7s
Description: S/MIME Cryptographic Signature
