Yeah expect that setkey used on pfsense is the one coming with ipsec-tools.
On Thu, Feb 13, 2014 at 1:13 PM, Erik Friesen <[email protected]> wrote: > I see they know. > http://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8 > > No other alternatives to selectively route ports to an ipsec vpn? > > *BUGS <http://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8#end>* > > The *setkey* utility should report and handle syntax errors better. > > For IPsec gateway configuration, *src**_**range* and *dst**_**range* > with TCP/UDP > port number do not work, as the gateway does not reassemble > packets (can- > not inspect upper-layer headers). > > > > On Wed, Feb 12, 2014 at 3:25 PM, Ermal Luçi <[email protected]> wrote: > >> You need to tell even racoon about this. >> >> >> On Wed, Feb 12, 2014 at 2:35 PM, Erik Friesen <[email protected]> wrote: >> >>> I have been trying to set up an ipsec vpn to only route from/to tcp port >>> 80 and 440. The vpn sets up fine, but since there is no setting in the gui >>> for ports, I have taken to hand trying some different SPDs. >>> >>> From the command line: >>> setkey -FP - erases current spd's >>> setkey -f filename - loads new file >>> >>> this is one I have tried - >>> spdadd -4 192.168.0.1/32 192.168.0.0/24 any -P out none; >>> spdadd -4 192.168.0.0/24 192.168.0.1/32 any -P in none; >>> spdadd -4 192.168.0.0/24[any] <http://192.168.0.0/24%5Bany%5D> >>> 0.0.0.0/0[80] <http://0.0.0.0/0%5B80%5D> tcp -P out ipsec >>> esp/tunnel/69.27.61.178-199.19.252.164/unique; >>> spdadd -4 0.0.0.0/0[any] <http://0.0.0.0/0%5Bany%5D> >>> 192.168.0.0/24[80]<http://192.168.0.0/24%5B80%5D>tcp -P in ipsec >>> esp/tunnel/199.19.252.164-69.27.61.178/unique; >>> >>> and many other combinations between the []. However, a port number >>> seems to break it, where no traffic get routed to the ipsec interface. >>> >>> I know this would take a bit of coding to inhibit the auto update from >>> xml, but otherwise would this be doable if setkey/racoon?? would cooperate? >>> Or are there other factors at play? >>> >>> >>> _______________________________________________ >>> List mailing list >>> [email protected] >>> http://lists.pfsense.org/mailman/listinfo/list >>> >>> >> >> >> -- >> Ermal >> >> _______________________________________________ >> List mailing list >> [email protected] >> http://lists.pfsense.org/mailman/listinfo/list >> >> > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
