On Sun, Feb 16, 2014 at 2:27 AM, Erik Friesen <[email protected]> wrote:
> Yeah, thanks. I looked around the developer site for a code overview but > didn't see much. > > Where do you think the crux of the matter lies, in racoon, setkey, or the > way freebsd is handling it? > > racoon + setkey. There is all that is to it. > How do other firewalls on a linux platform work around this? A recompile > of ipsec tools, or deeper? > > > On Thu, Feb 13, 2014 at 1:29 PM, Ermal Luçi <[email protected]> wrote: > >> Since the start of the project the demand for this kind of setup has been >> low. >> Hence no real focus has been put into it. >> >> This is for now. If you come with a patch for it will gladly review it >> for inclusion! >> >> >> On Thu, Feb 13, 2014 at 5:52 PM, Erik Friesen <[email protected]> wrote: >> >>> No other way around the security policy? Why can't it be firewall >>> ruled? This seems impossible, or perhaps a bug, not sure. Nearly every >>> other commercial firewall has this ability. >>> >>> >>> On Thu, Feb 13, 2014 at 10:22 AM, Ermal Luçi <[email protected]> wrote: >>> >>>> Yeah expect that setkey used on pfsense is the one coming with >>>> ipsec-tools. >>>> >>>> >>>> On Thu, Feb 13, 2014 at 1:13 PM, Erik Friesen <[email protected]> wrote: >>>> >>>>> I see they know. >>>>> http://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8 >>>>> >>>>> No other alternatives to selectively route ports to an ipsec vpn? >>>>> >>>>> *BUGS <http://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8#end>* >>>>> >>>>> The *setkey* utility should report and handle syntax errors better. >>>>> >>>>> For IPsec gateway configuration, *src**_**range* and >>>>> *dst**_**range* with TCP/UDP >>>>> port number do not work, as the gateway does not reassemble >>>>> packets (can- >>>>> not inspect upper-layer headers). >>>>> >>>>> >>>>> >>>>> On Wed, Feb 12, 2014 at 3:25 PM, Ermal Luçi <[email protected]>wrote: >>>>> >>>>>> You need to tell even racoon about this. >>>>>> >>>>>> >>>>>> On Wed, Feb 12, 2014 at 2:35 PM, Erik Friesen <[email protected]>wrote: >>>>>> >>>>>>> I have been trying to set up an ipsec vpn to only route from/to tcp >>>>>>> port 80 and 440. The vpn sets up fine, but since there is no setting in >>>>>>> the gui for ports, I have taken to hand trying some different SPDs. >>>>>>> >>>>>>> From the command line: >>>>>>> setkey -FP - erases current spd's >>>>>>> setkey -f filename - loads new file >>>>>>> >>>>>>> this is one I have tried - >>>>>>> spdadd -4 192.168.0.1/32 192.168.0.0/24 any -P out none; >>>>>>> spdadd -4 192.168.0.0/24 192.168.0.1/32 any -P in none; >>>>>>> spdadd -4 192.168.0.0/24[any] <http://192.168.0.0/24%5Bany%5D> >>>>>>> 0.0.0.0/0[80] <http://0.0.0.0/0%5B80%5D> tcp -P out ipsec >>>>>>> esp/tunnel/69.27.61.178-199.19.252.164/unique; >>>>>>> spdadd -4 0.0.0.0/0[any] <http://0.0.0.0/0%5Bany%5D> >>>>>>> 192.168.0.0/24[80] <http://192.168.0.0/24%5B80%5D> tcp -P in ipsec >>>>>>> esp/tunnel/199.19.252.164-69.27.61.178/unique; >>>>>>> >>>>>>> and many other combinations between the []. However, a port number >>>>>>> seems to break it, where no traffic get routed to the ipsec interface. >>>>>>> >>>>>>> I know this would take a bit of coding to inhibit the auto update >>>>>>> from xml, but otherwise would this be doable if setkey/racoon?? would >>>>>>> cooperate? Or are there other factors at play? >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> List mailing list >>>>>>> [email protected] >>>>>>> http://lists.pfsense.org/mailman/listinfo/list >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ermal >>>>>> >>>>>> _______________________________________________ >>>>>> List mailing list >>>>>> [email protected] >>>>>> http://lists.pfsense.org/mailman/listinfo/list >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> List mailing list >>>>> [email protected] >>>>> http://lists.pfsense.org/mailman/listinfo/list >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> List mailing list >>>> [email protected] >>>> http://lists.pfsense.org/mailman/listinfo/list >>>> >>>> >>> >>> _______________________________________________ >>> List mailing list >>> [email protected] >>> http://lists.pfsense.org/mailman/listinfo/list >>> >>> >> >> _______________________________________________ >> List mailing list >> [email protected] >> http://lists.pfsense.org/mailman/listinfo/list >> >> > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
