Yeah, thanks. I looked around the developer site for a code overview but didn't see much.
Where do you think the crux of the matter lies, in racoon, setkey, or the way freebsd is handling it? How do other firewalls on a linux platform work around this? A recompile of ipsec tools, or deeper? On Thu, Feb 13, 2014 at 1:29 PM, Ermal Luçi <[email protected]> wrote: > Since the start of the project the demand for this kind of setup has been > low. > Hence no real focus has been put into it. > > This is for now. If you come with a patch for it will gladly review it for > inclusion! > > > On Thu, Feb 13, 2014 at 5:52 PM, Erik Friesen <[email protected]> wrote: > >> No other way around the security policy? Why can't it be firewall ruled? >> This seems impossible, or perhaps a bug, not sure. Nearly every other >> commercial firewall has this ability. >> >> >> On Thu, Feb 13, 2014 at 10:22 AM, Ermal Luçi <[email protected]> wrote: >> >>> Yeah expect that setkey used on pfsense is the one coming with >>> ipsec-tools. >>> >>> >>> On Thu, Feb 13, 2014 at 1:13 PM, Erik Friesen <[email protected]> wrote: >>> >>>> I see they know. >>>> http://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8 >>>> >>>> No other alternatives to selectively route ports to an ipsec vpn? >>>> >>>> *BUGS <http://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8#end>* >>>> >>>> The *setkey* utility should report and handle syntax errors better. >>>> >>>> For IPsec gateway configuration, *src**_**range* and >>>> *dst**_**range* with TCP/UDP >>>> port number do not work, as the gateway does not reassemble >>>> packets (can- >>>> not inspect upper-layer headers). >>>> >>>> >>>> >>>> On Wed, Feb 12, 2014 at 3:25 PM, Ermal Luçi <[email protected]>wrote: >>>> >>>>> You need to tell even racoon about this. >>>>> >>>>> >>>>> On Wed, Feb 12, 2014 at 2:35 PM, Erik Friesen <[email protected]> wrote: >>>>> >>>>>> I have been trying to set up an ipsec vpn to only route from/to tcp >>>>>> port 80 and 440. The vpn sets up fine, but since there is no setting in >>>>>> the gui for ports, I have taken to hand trying some different SPDs. >>>>>> >>>>>> From the command line: >>>>>> setkey -FP - erases current spd's >>>>>> setkey -f filename - loads new file >>>>>> >>>>>> this is one I have tried - >>>>>> spdadd -4 192.168.0.1/32 192.168.0.0/24 any -P out none; >>>>>> spdadd -4 192.168.0.0/24 192.168.0.1/32 any -P in none; >>>>>> spdadd -4 192.168.0.0/24[any] <http://192.168.0.0/24%5Bany%5D> >>>>>> 0.0.0.0/0[80] <http://0.0.0.0/0%5B80%5D> tcp -P out ipsec >>>>>> esp/tunnel/69.27.61.178-199.19.252.164/unique; >>>>>> spdadd -4 0.0.0.0/0[any] <http://0.0.0.0/0%5Bany%5D> >>>>>> 192.168.0.0/24[80] <http://192.168.0.0/24%5B80%5D> tcp -P in ipsec >>>>>> esp/tunnel/199.19.252.164-69.27.61.178/unique; >>>>>> >>>>>> and many other combinations between the []. However, a port number >>>>>> seems to break it, where no traffic get routed to the ipsec interface. >>>>>> >>>>>> I know this would take a bit of coding to inhibit the auto update >>>>>> from xml, but otherwise would this be doable if setkey/racoon?? would >>>>>> cooperate? Or are there other factors at play? >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> List mailing list >>>>>> [email protected] >>>>>> http://lists.pfsense.org/mailman/listinfo/list >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Ermal >>>>> >>>>> _______________________________________________ >>>>> List mailing list >>>>> [email protected] >>>>> http://lists.pfsense.org/mailman/listinfo/list >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> List mailing list >>>> [email protected] >>>> http://lists.pfsense.org/mailman/listinfo/list >>>> >>>> >>> >>> _______________________________________________ >>> List mailing list >>> [email protected] >>> http://lists.pfsense.org/mailman/listinfo/list >>> >>> >> >> _______________________________________________ >> List mailing list >> [email protected] >> http://lists.pfsense.org/mailman/listinfo/list >> >> > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
