> On 4/1/2003 11:03 AM, Sam Leffler wrote:
> >
> > Long term, I intend is to associate packets with an enc device so
> > there's a way to identify these packets when writing firewall rules.
>
> Alternatively (and already working), you can replace IPsec tunnel mode
> with IPIP (gif) tunnels and transport mode, and then use the gif device
> in your firewall rules.
>
> It doesn't give you the full expressiveness of IPsec selectors, but it's
> good enough for many VPN schemes (and routing works!)
Yes, but for folks that want to use fast ipsec as a plug-compatible
replacement for KAME having an equivalent facility is important.
I'm actually more interested in the ability to monitor traffic post-IPSEC
processing (e.g. with tcpdump). But as I said privately to another person,
I haven't decided exactly how to deal with this issue yet. I watched all
the discussion on this and other mailing lists and when I have time I'll
deal with it. Someone with time now is free to work on it...
Sam
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
