No other way around the security policy? Why can't it be firewall ruled? This seems impossible, or perhaps a bug, not sure. Nearly every other commercial firewall has this ability.
On Thu, Feb 13, 2014 at 10:22 AM, Ermal Luçi <[email protected]> wrote: > Yeah expect that setkey used on pfsense is the one coming with ipsec-tools. > > > On Thu, Feb 13, 2014 at 1:13 PM, Erik Friesen <[email protected]> wrote: > >> I see they know. >> http://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8 >> >> No other alternatives to selectively route ports to an ipsec vpn? >> >> *BUGS <http://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8#end>* >> >> The *setkey* utility should report and handle syntax errors better. >> >> For IPsec gateway configuration, *src**_**range* and >> *dst**_**range* with TCP/UDP >> port number do not work, as the gateway does not reassemble >> packets (can- >> not inspect upper-layer headers). >> >> >> >> On Wed, Feb 12, 2014 at 3:25 PM, Ermal Luçi <[email protected]> wrote: >> >>> You need to tell even racoon about this. >>> >>> >>> On Wed, Feb 12, 2014 at 2:35 PM, Erik Friesen <[email protected]> wrote: >>> >>>> I have been trying to set up an ipsec vpn to only route from/to tcp >>>> port 80 and 440. The vpn sets up fine, but since there is no setting in >>>> the gui for ports, I have taken to hand trying some different SPDs. >>>> >>>> From the command line: >>>> setkey -FP - erases current spd's >>>> setkey -f filename - loads new file >>>> >>>> this is one I have tried - >>>> spdadd -4 192.168.0.1/32 192.168.0.0/24 any -P out none; >>>> spdadd -4 192.168.0.0/24 192.168.0.1/32 any -P in none; >>>> spdadd -4 192.168.0.0/24[any] <http://192.168.0.0/24%5Bany%5D> >>>> 0.0.0.0/0[80] <http://0.0.0.0/0%5B80%5D> tcp -P out ipsec >>>> esp/tunnel/69.27.61.178-199.19.252.164/unique; >>>> spdadd -4 0.0.0.0/0[any] <http://0.0.0.0/0%5Bany%5D> >>>> 192.168.0.0/24[80]<http://192.168.0.0/24%5B80%5D>tcp -P in ipsec >>>> esp/tunnel/199.19.252.164-69.27.61.178/unique; >>>> >>>> and many other combinations between the []. However, a port number >>>> seems to break it, where no traffic get routed to the ipsec interface. >>>> >>>> I know this would take a bit of coding to inhibit the auto update from >>>> xml, but otherwise would this be doable if setkey/racoon?? would cooperate? >>>> Or are there other factors at play? >>>> >>>> >>>> _______________________________________________ >>>> List mailing list >>>> [email protected] >>>> http://lists.pfsense.org/mailman/listinfo/list >>>> >>>> >>> >>> >>> -- >>> Ermal >>> >>> _______________________________________________ >>> List mailing list >>> [email protected] >>> http://lists.pfsense.org/mailman/listinfo/list >>> >>> >> >> _______________________________________________ >> List mailing list >> [email protected] >> http://lists.pfsense.org/mailman/listinfo/list >> >> > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
