Date: Tue, 11 Oct 2011 15:37:46 -0400 From: Michael Proto <mike@jellydonut.org> To: freebsd-pf@freebsd.org Subject: Re: Filtering inside IPSec tunnel Message-ID: <CAGAnWo37UfOHBs=%2BP2Hs-0BiDeWZkkwGA4PG0qPbhgDghKRLcQ@mail.gmail.com> In-Reply-To: <94876.1318358460.12206338191212019712@ffe11.ukr.net> References: <94876.1318358460.12206338191212019712@ffe11.ukr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
2011/10/11 =F7=C9=D4=C1=CC=C9=CA =F7=CC=C1=C4=C9=CD=C9=D2=CF=D7=C9=DE <arte=
mrts@ukr.net>:
>
> =9AI have the IPSec tunnel FreeBSD <-> CISCO. Tunnel works fine but I can=
filtering traffic inside tunnel with PF.
>
> pf.conf
>
> ......
>
> ipsec_if=3D"gif0"
>
> .......
> block in all
> block out all
>
> ### EXT_IF_OUT
>
> pass out log quick on $ext_if inet from ($ext_if) to any modulate state
>
> ### EXT_IF_IN
>
> pass in quick on $ext_if inet proto udp from $cisco to ($ext_if) port 500
> pass in quick on $ext_if inet proto {esp ah ipencap} from $cisco to ($ext=
_if)
>
> ### IPSec VPN INTERFACE
> #pass in quick on $ipsec_if inet from any to $ipsec_if
> #pass out quick on $ipsec_if inet from $ipsec_if to any
> block quick on $ipsec_if
>
> But I still ping the second point of IPSec tunnel.
> Where is my mistake?
IIRC you also need the following in your kernel config:
options IPSEC_FILTERTUNNEL
(I think it used to be called IPSEC_FILTERGIF, depending on what
version of FreeBSD you're running)
-Proto
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGAnWo37UfOHBs=%2BP2Hs-0BiDeWZkkwGA4PG0qPbhgDghKRLcQ>