Hi, I'm going to jump in here too.
We have an issue where we use IPSec tunneling to wireless clients. Currently we associate two IP on the external interface, the public one and then tunneled one. We are however forced to use NATD instead of IPFILTER for NAT because IPFILTER does its NAT work before IPSEC does its work which breaks the VPN. I looked in the some of the code and saw where IPFILTER is processed before NAT. I am wondering if it would be possible to swap the locations of the chunks of code and get the effect we want - IPSEC before IPFILTER. Is this as easy as it seems or will there be other troubles? I'm hoping somebody is familiar with this so I can avoid hours of trial and error. In the ideal world, I would like to be able to specify 'IPSEC before IPFILTER' either in my kernel config or, even better, in rc.conf - mike _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"