On Wed, Aug 20, 2008 at 07:02:28AM -0700, Jeff Simmons wrote:
>
> ike passive esp from $lan_net to $remote_lan_net peer $remote_gw_addr
> ike passive esp from $T1-2_addr to $remote_gw_addr
do you totally want passive, or is that just an artifact of trying
to get things work reliably?
> pass in quick on $T1-2_if reply-to ($T1-2_if $T1-2_gw) proto 50 from any to
> $T1-2_addr keep state
>
> pass in quick on $T1-2_if reply-to ($T1-2_if $T1-2_gw) proto udp from any to
> $T1-2_addr port 500
so you want something like:
if ([ $proto -eq $udp ] && [ $port -eq $isakmp ]) || [ $proto -eq $esp ]; then
use T1-2
else
use T1-1
fi
does traffic from $remote_ipsec_peer to you already end up coming in T1-2 on
its
own, or does it come into T1-1?
if yes, is that already only for ipsec-related traffic, or do they currently
send everything to your T1-2 iface as-is?
--
jared
