2011/10/11 Виталий Владимирович <[email protected]>: > > I have the IPSec tunnel FreeBSD <-> CISCO. Tunnel works fine but I can > filtering traffic inside tunnel with PF. > > pf.conf > > ...... > > ipsec_if="gif0" > > ....... > block in all > block out all > > ### EXT_IF_OUT > > pass out log quick on $ext_if inet from ($ext_if) to any modulate state > > ### EXT_IF_IN > > pass in quick on $ext_if inet proto udp from $cisco to ($ext_if) port 500 > pass in quick on $ext_if inet proto {esp ah ipencap} from $cisco to ($ext_if) > > ### IPSec VPN INTERFACE > #pass in quick on $ipsec_if inet from any to $ipsec_if > #pass out quick on $ipsec_if inet from $ipsec_if to any > block quick on $ipsec_if > > But I still ping the second point of IPSec tunnel. > Where is my mistake?
IIRC you also need the following in your kernel config: options IPSEC_FILTERTUNNEL (I think it used to be called IPSEC_FILTERGIF, depending on what version of FreeBSD you're running) -Proto _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
