J. Ryan Earl wrote:
Well, this is truly confusing. Another thing I noticed were that
certain inbound services/port forwards don't work on OPT1 either, namely
FTP. Maybe I should just start over from scratch with the 1.0 release
LiveCD. The behavior is very inconsistent. The NICs might be
different, wonder if that has anything to do with it. I'll have to do
some more testing.
J. Ryan Earl wrote:
Turns out, all the setsockopt may have had nothing to do with the
problem. That should have only been a problem if I was using IPSec
Pass Thru, ie setting up a VPN from inside of a NAT to an end-point
outside the NAT.
So here's the real problem as far as I can tell. pfSense only
supports IPSec tunnels that originate from the "WAN" interface on the
pfSense firewall. I have 2 ISP connections:
WAN => T1 (209.198.142.210)
OPT1 => DSL (216.62.203.233)
True: there's a bug in filter.inc where the pass rules are generated
against the WAN address instead of the IPSEC address specified in the
tunnel. Please test if attached patch alleviate the pain.
ipsec tunnel off of OPT1 works fine here.
Allow me to doubt.
Angelo Turetta
--- filter.default Tue Oct 17 18:08:59 2006
+++ filter.inc Tue Oct 17 20:46:39 2006
@@ -2389,15 +2389,15 @@
foreach
($config['installedpackages']['sasyncd']['config'] as $sasyncd)
if
($sasyncd['ip'] <> "")
$interface_ip = $sasyncd['ip'];
- $ipfrules .= "pass out quick on
\${$iface} proto udp from {$interface_ip} to {$remote_gateway} port = 500 keep
state label \"IPSEC: {$tunnel['descr']} - outbound isakmp\"\n";
- $ipfrules .= "pass in quick on
\${$iface} proto udp from {$remote_gateway} to $interface_ip port = 500 keep
state label \"IPSEC: {$tunnel['descr']} - inbound isakmp\"\n";
+ $ipfrules .= "pass out quick on
\${$iface} proto udp from $ipsec_ip to {$remote_gateway} port = 500 keep state
label \"IPSEC: {$tunnel['descr']} - outbound isakmp\"\n";
+ $ipfrules .= "pass in quick on
\${$iface} proto udp from {$remote_gateway} to $ipsec_ip port = 500 keep state
label \"IPSEC: {$tunnel['descr']} - inbound isakmp\"\n";
if ($tunnel['p2']['protocol'] == 'esp')
{
- $ipfrules .= "pass out quick on
\${$iface} proto esp from {$interface_ip} to {$remote_gateway} keep state label
\"IPSEC: {$tunnel['descr']} - outbound esp proto\"\n";
- $ipfrules .= "pass in quick on
\${$iface} proto esp from {$remote_gateway} to {$interface_ip} keep state label
\"IPSEC: {$tunnel['descr']} - inbound esp proto\"\n";
+ $ipfrules .= "pass out quick on
\${$iface} proto esp from $ipsec_ip to {$remote_gateway} keep state label
\"IPSEC: {$tunnel['descr']} - outbound esp proto\"\n";
+ $ipfrules .= "pass in quick on
\${$iface} proto esp from {$remote_gateway} to $ipsec_ip keep state label
\"IPSEC: {$tunnel['descr']} - inbound esp proto\"\n";
}
if ($tunnel['p2']['protocol'] == 'ah') {
- $ipfrules .= "pass out quick on
\${$iface} proto ah from {$interface_ip} to {$remote_gateway} keep state label
\"IPSEC: {$tunnel['descr']} - outbound ah proto\"\n";
- $ipfrules .= "pass in quick on
\${$iface} proto ah from {$remote_gateway} to {$interface_ip} keep state label
\"IPSEC: {$tunnel['descr']} - inbound ah proto\"\n";
+ $ipfrules .= "pass out quick on
\${$iface} proto ah from $ipsec_ip to {$remote_gateway} keep state label
\"IPSEC: {$tunnel['descr']} - outbound ah proto\"\n";
+ $ipfrules .= "pass in quick on
\${$iface} proto ah from {$remote_gateway} to $ipsec_ip keep state label
\"IPSEC: {$tunnel['descr']} - inbound ah proto\"\n";
}
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
