Hi, I have OpenBSD-based branch office router which connects to cisco-based hq router via ipsec-protected gre tunnel (transport mode).
If I 'set skip on enc' everything works fine, but I would like to tighten rules on enc a bit as well, not as much for the sake of functionality as for the sake of my better understanding of pf. However I can't figure out what exactly I need to pass. Here's output from tcpdump on pflog: 16:37:37.380697 rule 4/(match) [uid 0, pid 17711] block in on enc0: 192.168.224.2 > 192.168.224.97: gre 192.168.224.2 > 192.168.224.97: [] 10.50.0.89 > 224.0.0.5: OSPFv2-hello 48[60]: rtrid 192.168.225.1 backbone E mask 255.255.255.252 int 10 pri 1 dead 40 nbrs 192.168.223.13 [tos 0xc0] [ttl 1] (id 49333, len 80) [tos 0xc0] (ttl 255, id 64559, len 104) [tos 0xc0] (ttl 253, id 12919, len 124) 192.168.224.2 and 192.168.224.97 are addresses of physical interfaces (remote and local, respectively). 10.50.0.9 is address of remote gre tunnel endpoint I thought that simple... pass in on enc0 inet proto gre from 192.168.224.2 to 192.168.224.97 \ keep state (if-bound) ... would allow the above packet but apparently it doesn't. What exactly I should pass on enc interface so that the above packet passes? Thank you in advance. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
