From owner-freebsd-net  Tue Mar  6 17: 3:11 2001
Delivered-To: freebsd-net@freebsd.org
Received: from lotl.clari.net.au (lotl.clari.net.au [203.26.127.210])
	by hub.freebsd.org (Postfix) with ESMTP id E00DD37B719
	for <freebsd-net@freebsd.org>; Tue,  6 Mar 2001 17:03:05 -0800 (PST)
	(envelope-from stephen@clari.net.au)
Received: from theforce.clari.net.au (theforce.clari.net.au [203.8.14.120])
	by lotl.clari.net.au (8.9.3/8.9.1) with ESMTP id MAA95098
	for <freebsd-net@freebsd.org>; Wed, 7 Mar 2001 12:02:35 +1100 (EST)
	(envelope-from stephen@clari.net.au)
Message-ID: <XFMail.010307120903.stephen@clari.net.au>
X-Mailer: XFMail 1.4.0 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
Date: Wed, 07 Mar 2001 12:09:03 +1100 (EST)
Organization: ClariNET Internet Solutions
From: Stephen Cimarelli <stephen@clari.net.au>
To: freebsd-net@freebsd.org
Subject: IPSEC + natd + IPFW
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi All

I have managed to get IPsec+gif tunelling to work but am having trouble setting
up firewal rules, it seem that recieved ESP packets pass through the firewall
rule set  twice and  hit my natd divert rules.

Toget around this I had to add a rule like 00110 and 00115 

00001   150   20400 count esp from any to any
00010   150   20400 allow esp from any to any in recv tun0
00011     0       0 allow esp from any to any out xmit tun0
00110  1560  231661 allow ip from 192.168.0.0/16 to 192.168.0.0/16
00115     9     756 allow ip from 10.10.0.0/16 to 192.168.0.0/16 via tun0
00120  6193 2543953 divert 8668 tcp from any to any out xmit tun0
00120    15    1233 divert 8668 udp from any to any out xmit tun0
00120     0       0 divert 8668 icmp from any to any out xmit tun0
00121  6132 6364485 divert 8668 tcp from any to any in recv tun0
00121    16    3516 divert 8668 udp from any to any in recv tun0
00121    21    1764 divert 8668 icmp from any to any in recv tun0

with 192.168. and 10.10 being the remote internal networks

But there must be a better way ?
----------------------------------
E-Mail: Stephen Cimarelli <stephen@clari.net.au>
Date: 07-Mar-01
Time: 11:51:44
ClariNet Internet Solutions
+61 3 9486 0811
www.clari.net.au
----------------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message