Okay, so that I am on the same page as you. Those $wan rules should have read $optX ??
Scott On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
Oops! Sorry for the double post. Vaughn L. Reid III wrote: > Here is the relevant text of my rules.debug file. It looks like the > interface on the connection "computer support" has the same interface > as the rest of the tunnels. This is the test connection that should > be using OPT3. > > # let out anything from the firewall host itself and decrypted IPsec > traffic > pass out quick on $lan proto icmp keep state label "let out anything > from firewall host itself" > pass out quick on $wan proto icmp keep state label "let out anything > from firewall host itself" > pass out quick on em1 all keep state label "let out anything from > firewall host itself" > # pass traffic from firewall -> out > anchor "firewallout" > pass out quick on em1 all keep state label "let out anything from > firewall host itself" > pass out quick on em0 all keep state label "let out anything from > firewall host itself" > pass out quick on em4 all keep state label "let out anything from > firewall host itself" > pass out quick on em2 all keep state label "let out anything from > firewall host itself" > pass out quick on $pptp all keep state label "let out anything from > firewall host itself pptp" > pass out quick on $enc0 keep state label "IPSEC internal host to host" > > # let out anything from the firewall host itself and decrypted IPsec > traffic > pass out quick on em4 proto icmp keep state label "let out anything > from firewall host itself" > pass out quick on em4 all keep state label "let out anything from > firewall host itself" > > > # VPN Rules > pass out quick on $wan proto udp from 209.218.218.138 to > 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 - > outbound isakmp" > pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138 > port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to > 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp > proto" > pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138 > keep state label "IPSEC: Fire Station 3 - inbound esp proto" > pass out quick on $wan proto udp from 209.218.218.138 to > 65.119.178.129 port = 500 keep state label "IPSEC: Street Department - > outbound isakmp" > pass in quick on $wan proto udp from 65.119.178.129 to 209.218.218.138 > port = 500 keep state label "IPSEC: Street Department - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to > 65.119.178.129 keep state label "IPSEC: Street Department - outbound > esp proto" > pass in quick on $wan proto esp from 65.119.178.129 to 209.218.218.138 > keep state label "IPSEC: Street Department - inbound esp proto" > pass out quick on $wan proto udp from 209.218.218.138 to > 65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 - > outbound isakmp" > pass in quick on $wan proto udp from 65.119.178.154 to 209.218.218.138 > port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to > 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp > proto" > pass in quick on $wan proto esp from 65.119.178.154 to 209.218.218.138 > keep state label "IPSEC: Fire Station 2 - inbound esp proto" > pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14 > port = 500 keep state label "IPSEC: EMS Building - outbound isakmp" > pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138 > port = 500 keep state label "IPSEC: EMS Building - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14 > keep state label "IPSEC: EMS Building - outbound esp proto" > pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138 > keep state label "IPSEC: EMS Building - inbound esp proto" > pass out quick on $wan proto udp from 209.218.218.138 to 70.237.44.110 > port = 500 keep state label "IPSEC: Computer Support - outbound isakmp" > pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138 > port = 500 keep state label "IPSEC: Computer Support - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to 70.237.44.110 > keep state label "IPSEC: Computer Support - outbound esp proto" > pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138 > keep state label "IPSEC: Computer Support - inbound esp proto" > > pass in quick on em0 inet proto tcp from any to $loopback port 8021 > keep state label "FTP PROXY: Allow traffic to localhost" > pass in quick on em0 inet proto tcp from any to $loopback port 21 keep > state label "FTP PROXY: Allow traffic to localhost" > pass in quick on em1 inet proto tcp from port 20 to (em1) port > 49000 > user proxy flags S/SA keep state label "FTP PROXY: PASV mode data > connection" > # enable ftp-proxy > pass in quick on em4 inet proto tcp from any to $loopback port 8022 > keep state label "FTP PROXY: Allow traffic to localhost" > pass in quick on em4 inet proto tcp from any to $loopback port 21 keep > state label "FTP PROXY: Allow traffic to localhost" > > Vaughn > > > Scott Ullrich wrote: >> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: >>> I didn't get the request, but I'll be happy check to see if rules are >>> being added. Should I remove the manual rules that I created first >>> before checking? >> >> Yes, please. Then open up /tmp/rules.debug and look for "VPN >> Rules".. Below that marker is the system generated IPSEC rules. Do >> you see entries for the OPT interface? >> >> Scott >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]