Hi,
I have OpenBSD-based branch office router which connects to
cisco-based hq router via ipsec-protected gre tunnel (transport mode).
If I 'set skip on enc' everything works fine, but I would like to
tighten rules on enc a bit as well, not as much for the sake of
functionality as for the sake of my better understanding of pf. However
I can't figure out what exactly I need to pass.
Here's output from tcpdump on pflog:
16:37:37.380697 rule 4/(match) [uid 0, pid 17711] block in on enc0:
192.168.224.2 > 192.168.224.97: gre 192.168.224.2 > 192.168.224.97: []
10.50.0.89 > 224.0.0.5: OSPFv2-hello 48[60]: rtrid 192.168.225.1
backbone E mask 255.255.255.252 int 10 pri 1 dead 40 nbrs
192.168.223.13 [tos 0xc0] [ttl 1] (id 49333, len 80) [tos 0xc0] (ttl
255, id 64559, len 104) [tos 0xc0] (ttl 253, id 12919, len 124)
192.168.224.2 and 192.168.224.97 are addresses of physical interfaces
(remote and local, respectively).
10.50.0.9 is address of remote gre tunnel endpoint
I thought that simple...
pass in on enc0 inet proto gre from 192.168.224.2 to 192.168.224.97 \
keep state (if-bound)
... would allow the above packet but apparently it doesn't.
What exactly I should pass on enc interface so that the above packet
passes?
Thank you in advance.
--
Before enlightenment - chop wood, draw water.
After enlightenment - chop wood, draw water.
Marko Cupać
https://www.mimar.rs/
