Date: Wed, 07 Mar 2001 12:09:03 +1100 (EST) From: Stephen Cimarelli <stephen@clari.net.au> To: freebsd-net@freebsd.org Subject: IPSEC + natd + IPFW Message-ID: <XFMail.010307120903.stephen@clari.net.au>
next in thread | raw e-mail | index | archive | help
Hi All I have managed to get IPsec+gif tunelling to work but am having trouble setting up firewal rules, it seem that recieved ESP packets pass through the firewall rule set twice and hit my natd divert rules. Toget around this I had to add a rule like 00110 and 00115 00001 150 20400 count esp from any to any 00010 150 20400 allow esp from any to any in recv tun0 00011 0 0 allow esp from any to any out xmit tun0 00110 1560 231661 allow ip from 192.168.0.0/16 to 192.168.0.0/16 00115 9 756 allow ip from 10.10.0.0/16 to 192.168.0.0/16 via tun0 00120 6193 2543953 divert 8668 tcp from any to any out xmit tun0 00120 15 1233 divert 8668 udp from any to any out xmit tun0 00120 0 0 divert 8668 icmp from any to any out xmit tun0 00121 6132 6364485 divert 8668 tcp from any to any in recv tun0 00121 16 3516 divert 8668 udp from any to any in recv tun0 00121 21 1764 divert 8668 icmp from any to any in recv tun0 with 192.168. and 10.10 being the remote internal networks But there must be a better way ? ---------------------------------- E-Mail: Stephen Cimarelli <stephen@clari.net.au> Date: 07-Mar-01 Time: 11:51:44 ClariNet Internet Solutions +61 3 9486 0811 www.clari.net.au ---------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.010307120903.stephen>