I wonder how can I create an MS Windows based SSL tunnel with any
tcp/udp traffic encapsulated using .Net framework.

A common senario would be to connect 2 LAN's with that SSL tunnel. So
clients on both sides would transparently use that tunnel as
encryption.
At the same time any other traffic(internet surf traffic) would go as normal.
Functionality I try to create:

- Sniff all traffic in promiscous mode
- then route based on destination ip address
- create a SSL tunnel against a TCP listner in the other end that can
unpack the traffic
- At a later stage I would like to add QoS

I have knowledge og win sockets programming.
I have bought/read:
- Windows System Programming 3.rd Ed.
- Windows Internals (XP/2003/2000)
- Network programming in .Net


First of all I need to figure out what kind of technology to use.
How does programatically actually a routing works?
(WinPcap for sniffing? NDIS/TDI/WMI for redirection/hooking the traffic?)
Is there anything within .Net framework that can do some or all of this?

My prefered develop language is VB.net, but if needed I might use C++
to do some of the core functionallity.

Summary:
I want to understand how I can create a windows based router/gateway
from scratch using the latest windows technology (.Net 2.0/WinFX).

Please explain and point to some good qualified URL's or books.

implementing your plan in a linux platform would be more convenient as
there is a linux package called libcap, that can be used to capture
TCP/UDP/ICMP packages. now if you can find the corresponding .NET
package for the same then the rest of it will be easy. firstly you
will have to create "routing tables" that will tell you packets with a
particular n/w address will have to be routed through a unique port
which connect your router to that destination network. lets say your
router connects 2 network which have network addresses A and B. now
both these will be physically connected to your router via something
similar to a Network Interface Card (NIC).these NE (network elements)
will each have an unique hardware address called a MAC Address. now
youre router table will basically tell you that incoming packets with
the network address "A" will be routed through this the hardware that
has this particular MAC address.and it will also tell you the status
of that network. refer to some good book of linux networking to get
the format of conventional router tables. now when you have captured
an incoming packet through your .NET libraries. you will have to
extract the TCP header. (refer to a good book on TCP/IP or google to
get the format of the packet headers. (both MAC header which is at the
top of the packet and the TCP header which comes below the MAC header
within the incoming packet). You can parse the TCP header and find out
what kind of packet it is. and decide whether that packet needs to be
routed by your system. if it has to be routed by your system the you
need to parse the TCP header and find out the destination IP address
of the packet. from the parsed destination IP address u can find out
the network address using the SUBNET mask field within the TCP header
itself. once u have the network adderss check your Router tables to
find out which hardware port you will send it through. grab the MAC
address of the hardware port that connects to your destination network
from the router table. now within your MAC header in your incoming
packet you will have a field that says source MAC address. update this
field to the MAC address of the port on your router.update the
destination MAC address also from the router tables on your router.
if you are wondering how do u initially get the destination MAC
addresses onto your router then either intially you can do it
statically by physically populating your router tables as long as your
router is in a test environment. at later stages you can ping and find
out destinatins that are alive.
hope this gets you started off on your endeavour. good luck. it took
me 1 month to do this on LINUX. happy networking..........

Thanks a lot mate, 

In short:
1. Sniff packets 
2. Add packets to a buffer
3. Deceide based on destination IP, which NIC to send the packet
4. Create new RAW packet with:
    - Source MAC to my sending NIC
    - Dest. MAC to gateway which can route it further
    - Keep IP addresses and Payload unchanged
5. Send the RAW packet
6. Delete packet from buffer

Have I understood this correct?

Do I have to sniff in promiscous mode? I guess it would be enough to
only sniff packets with my router as MAC destination.

Also, do I have to reply/acknowledge anything back to the client on my LAN,
after I have received the packet?

From your experience, do you have some recommendation about testing
environment? Is there some network traffic(protocol's) that is easy to
simulate. Or even software that I could test against?

Best Regards ;)

You got that pretty clear mate. well you wont have to create a new
packet. you can just edit the necessary fields in the headers (ie the
MAC address fields). it would be good to work in promiscous mode as
this would help you sniff different types of packets.
to test this i suggest for starts use 2 pcs on different network. and
you can generate ping packets from one comp and if your router is
successfully up then you will receive positive responses on pinging.
thats what i did to test this setup in the initial stages.
ya adding packets to a buffer........that i forgot to mention. that
will be good because in effect you will be implementing "leaky bucket
algorithm" which helps in traffic shaping.

hope that puts the testing issue to rest ;-)