--- Original Message --- From: " Bjoern A. Zeeb" <[email protected]> To: " Michael Proto" <[email protected]> Date: 11 October 2011, 23:24:39 Subject: Re: Filtering inside IPSec tunnel
> On 11. Oct 2011, at 19:37 , Michael Proto wrote: > > > 2011/10/11 Виталий Владимирович <[email protected]>: > >> > >> I have the IPSec tunnel FreeBSD <-> CISCO. Tunnel works fine but I can > >> filtering traffic inside tunnel with PF. > >> > >> pf.conf > >> > >> ...... > >> > >> ipsec_if="gif0" > >> > >> ....... > >> block in all > >> block out all > >> > >> ### EXT_IF_OUT > >> > >> pass out log quick on $ext_if inet from ($ext_if) to any modulate state > >> > >> ### EXT_IF_IN > >> > >> pass in quick on $ext_if inet proto udp from $cisco to ($ext_if) port 500 > >> pass in quick on $ext_if inet proto {esp ah ipencap} from $cisco to > >> ($ext_if) > >> > >> ### IPSec VPN INTERFACE > >> #pass in quick on $ipsec_if inet from any to $ipsec_if > >> #pass out quick on $ipsec_if inet from $ipsec_if to any > >> block quick on $ipsec_if > >> > >> But I still ping the second point of IPSec tunnel. > >> Where is my mistake? > > > > IIRC you also need the following in your kernel config: > > > > options IPSEC_FILTERTUNNEL > > > > (I think it used to be called IPSEC_FILTERGIF, depending on what > > version of FreeBSD you're running) > > > yes and there are sysctls these days: > > net.inet.ipsec.filtertunnel: 1 > net.inet6.ipsec6.filtertunnel: 1 > Thanks guys. It works fine! _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
