FreeBSD Mail Archives

Date:      Tue, 06 Mar 2001 17:19:59 -0800
From:      Lars Eggert <larse@ISI.EDU>
To:        Stephen Cimarelli <stephen@clari.net.au>
Cc:        freebsd-net@freebsd.org
Subject:   Re: IPSEC + natd + IPFW
Message-ID:  <3AA58CBF.819707E6@isi.edu>
References:  <XFMail.010307120903.stephen@clari.net.au>


[-- Attachment #1 --]
Stephen Cimarelli wrote:
> I have managed to get IPsec+gif tunelling to work but am having trouble setting
> up firewal rules, it seem that recieved ESP packets pass through the firewall
> rule set  twice and  hit my natd divert rules.

Do you use IPsec tunnel mode, or IPsec transport mode + gif tunnels to do
the tunneling? Also, in the ipfw rules below, your "via" clauses reference
tun0, which is neither gif nor IPsec tunneling.

> Toget around this I had to add a rule like 00110 and 00115
> 
> 00001   150   20400 count esp from any to any
> 00010   150   20400 allow esp from any to any in recv tun0
> 00011     0       0 allow esp from any to any out xmit tun0
> 00110  1560  231661 allow ip from 192.168.0.0/16 to 192.168.0.0/16
> 00115     9     756 allow ip from 10.10.0.0/16 to 192.168.0.0/16 via tun0
> 00120  6193 2543953 divert 8668 tcp from any to any out xmit tun0
> 00120    15    1233 divert 8668 udp from any to any out xmit tun0
> 00120     0       0 divert 8668 icmp from any to any out xmit tun0
> 00121  6132 6364485 divert 8668 tcp from any to any in recv tun0
> 00121    16    3516 divert 8668 udp from any to any in recv tun0
> 00121    21    1764 divert 8668 icmp from any to any in recv tun0
-- 
Lars Eggert <larse@isi.edu>                 Information Sciences Institute
http://www.isi.edu/larse/                University of Southern California
[-- Attachment #2 --]
0�#	*�H��
��0�10	+0	*�H��
���0��0�A�#0
	*�H��
0��10	UZA10UWestern Cape10UDurbanville10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 1999.9.160
000824203008Z
010824203008Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��
	
larse@isi.edu0��0
	*�H��
��0�����\�p�9޻� H;�����v��֐�r��∩6��"C?mxf�J��f��7����I��[���3C�F�́�L	I
�-�����zHR���VA怤2�]0-b��L�)���%X>�n�Ӆ�w0u0*+e!000L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U�00U#0����`�fU��X�F�a�#�Ì0
	*�H��
����_3��	��F�=%nW�Y-HXD�9�UO���c�6�ܰ�w�f�@u�ܶ�NԄR?��P�r}����E��1�֮2�3�������mF�h�ySwM_h|d y����R�����=��$�P ����0�0�}�0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
990916140140Z
010915140140Z0��10	UZA10UWestern Cape10UDurbanville10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 1999.9.160��0
	*�H��
��0�����iZ���z��]�!�#r�LK�~����r$�BR�W��{az���r98����e��^��e���yvL>�hpu��t�,O	1��A�rƦ]�D��.�M��օ>l�x�~@�эW��s�0�F�O�7050U�0�0U#0�rI�s4�U�vr�~w��Ʋ0
	*�H��
��k�Y�1�����rr��`H��U�{�g��ap�m¥7؝�(V��\uoƑ��lfq�|k�o��!6-���	��-mƃR����������t��\���~��
orzg,ks�����n�Ν��c)�	~U�1��0��0��0��10	UZA10UWestern Cape10UDurbanville10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 1999.9.16#0	+���0	*�H��
	1	*�H��
0	*�H��
	1
010307011959Z0#	*�H��
	1��l6K#��;��a��h0R	*�H��
	1E0C0
*�H��
0*�H��
�0+0
*�H��
@0
*�H��
(0
	*�H��
���������FB���'�a����2�⯟b	@�Y��y,Ֆ<��@rT2����3MXԴ�*�R����ٽ�(	��Q�Z�W��;)3�U��Vj�>��#�eU׮�'�9?���i�`W^Є�u]<

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AA58CBF.819707E6>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation