Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 11 Oct 2011 20:24:39 +0000
From:      "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To:        Michael Proto <mike@jellydonut.org>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Filtering inside IPSec tunnel
Message-ID:  <3E6628B4-CABB-41C3-8630-681F08690ABF@lists.zabbadoz.net>
In-Reply-To: <CAGAnWo37UfOHBs=%2BP2Hs-0BiDeWZkkwGA4PG0qPbhgDghKRLcQ@mail.gmail.com>
References:  <94876.1318358460.12206338191212019712@ffe11.ukr.net> <CAGAnWo37UfOHBs=%2BP2Hs-0BiDeWZkkwGA4PG0qPbhgDghKRLcQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On 11. Oct 2011, at 19:37 , Michael Proto wrote:

> 2011/10/11 =D0=92=D0=B8=D1=82=D0=B0=D0=BB=D0=B8=D0=B9 =
=D0=92=D0=BB=D0=B0=D0=B4=D0=B8=D0=BC=D0=B8=D1=80=D0=BE=D0=B2=D0=B8=D1=87 =
<artemrts@ukr.net>:
>>=20
>>  I have the IPSec tunnel FreeBSD <-> CISCO. Tunnel works fine but I =
can filtering traffic inside tunnel with PF.
>>=20
>> pf.conf
>>=20
>> ......
>>=20
>> ipsec_if=3D"gif0"
>>=20
>> .......
>> block in all
>> block out all
>>=20
>> ### EXT_IF_OUT
>>=20
>> pass out log quick on $ext_if inet from ($ext_if) to any modulate =
state
>>=20
>> ### EXT_IF_IN
>>=20
>> pass in quick on $ext_if inet proto udp from $cisco to ($ext_if) port =
500
>> pass in quick on $ext_if inet proto {esp ah ipencap} from $cisco to =
($ext_if)
>>=20
>> ### IPSec VPN INTERFACE
>> #pass in quick on $ipsec_if inet from any to $ipsec_if
>> #pass out quick on $ipsec_if inet from $ipsec_if to any
>> block quick on $ipsec_if
>>=20
>> But I still ping the second point of IPSec tunnel.
>> Where is my mistake?
>=20
> IIRC you also need the following in your kernel config:
>=20
> options         IPSEC_FILTERTUNNEL
>=20
> (I think it used to be called IPSEC_FILTERGIF, depending on what
> version of FreeBSD you're running)


yes and there are sysctls these days:

net.inet.ipsec.filtertunnel: 1
net.inet6.ipsec6.filtertunnel: 1

/bz


--=20
Bjoern A. Zeeb                                 You have to have visions!
         Stop bit received. Insert coin for new address family.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E6628B4-CABB-41C3-8630-681F08690ABF>