Date: Fri, 26 May 2006 11:38:36 +0400 From: Gennady Proskurin <gpr@nvnpp.vrn.ru> To: freebsd-security@freebsd.org Subject: IPSEC - tcp port match Message-ID: <20060526073836.GC15280@relay.nvnpp.vrn.ru>
next in thread | raw e-mail | index | archive | help
Hello. I try to configure IPSEC to bybass ssh protocol. For example: setkey -FP setkey -F setkey -c << EOF spdadd 10.1.1.1/32 10.6.10.50[22] tcp -P in none ; spdadd 10.1.1.1/32 10.6.10.50 tcp -P in ipsec ah/transport//require ; EOF (Pass incoming ssh packets to 10.6.10.50, block other tcp packets) This works under fresh 7-CURRENT(FAST_IPSEC). On fresh 6-STABLE (neither FAST_IPSEC nor KAME IPSEC) it doesn't work, first string "spdadd 10.1.1.1/32 10.6.10.50[22] tcp -P in none" never matches. Is it bug in 6-STABLE or I missing something? Does anybody successfuly use IPSEC with tcp port matching under 6-STABLE? -- Gennady
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060526073836.GC15280>