On 7/26/06, Gustavo Rios <[EMAIL PROTECTED]> wrote:
# Pass encrypted traffic to/from security gateways
pass in proto esp from $GATEWAY_B to $GATEWAY_A
pass out proto esp from $GATEWAY_A to $GATEWAY_B
In the last two line above, if i wanted to specify the interface,
which of enc0 or $ext_if, should i use?
$ext_if, given the following rationale:
Your external interface will see the packets with ESP payload coming
from / going to the other gateway(s). Inbound, these packets require
processing; outbound, they are the result of processing. Your external
interface cannot - unless you do *very* unwise things - see the
internals of those packets; that's what your enc(4) interfaces can
help you with.
From enc(4):
"The enc interface allows an administrator to see outgoing packets before
they have been processed by ipsec(4), or incoming packets after they have
been similarly processed, via tcpdump(8)."
Cheers,
Rogier
--
If you don't know where you're going, any road will get you there.