On 03.11.2003, at 17:50, Greg Nicholson wrote:
> I noticed the same behavior on my installation last night, but didn't
> time to troubleshoot before reverting to pb18 where everything worked.
> pretty sure that it is in the firewall code, as I was seeing the
> being bounced by rule 0:4.
Well, I can't see why any of the changes made to the filter generator
from pb18 to pb19 would cause something like this. Guess we'll need
more input, like status.cgi output when the problem occurs...
> On a related note, we have LAN,WAN,PPTP options on the firewall rules.
> Where do the IPsec tunnels fit in?
Nowhere. In a way, IPsec completely sucks when it comes to filtering
because there are no virtual interfaces per tunnel as there are with
PPTP or OpenVPN. ipfilter just sees those packets as coming in via WAN
(and to make matters worse, they pass through the filter three (!)
times - once as ESP, then as ipencap and finally as the decrypted
packet). Maybe some kludge with gif interfaces would help, but I'm not
sure about that.
I'd prefer to get rid of that nasty, ugly, kludgy IPsec + IKE (did I
mention that racoon sucks? ;) shit anyway - causes more headaches than
it is worth. Too bad it's the de-facto industry standard. OpenVPN is
much more beautiful. But the good things in life always have a catch:
it runs in userland and as such it's very slow on low-end platforms
like embedded PCs. Gosh!