Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 12 Oct 2011 07:50:01 +0300
From:      =?WINDOWS-1251?B?wujy4Ovo6SDC6+Dk6Ozo8O7i6Pc=?= <artemrts@ukr.net>
To:        " Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Filtering inside IPSec tunnel
Message-ID:  <52623.1318395001.5638287628313755648@ffe6.ukr.net>
In-Reply-To: <3E6628B4-CABB-41C3-8630-681F08690ABF@lists.zabbadoz.net>
References:  <94876.1318358460.12206338191212019712@ffe11.ukr.net> <CAGAnWo37UfOHBs=%2BP2Hs-0BiDeWZkkwGA4PG0qPbhgDghKRLcQ@mail.gmail.com> <3E6628B4-CABB-41C3-8630-681F08690ABF@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help 



 --- Original Message ---
 From: " Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
 To: " Michael Proto" <mike@jellydonut.org>
 Date: 11 October 2011, 23:24:39
 Subject: Re: Filtering inside IPSec tunnel
 


> On 11. Oct 2011, at 19:37 , Michael Proto wrote:
> 
> > 2011/10/11 Виталий Владимирович <artemrts@ukr.net>:
> >> 
> >>  I have the IPSec tunnel FreeBSD <-> CISCO. Tunnel works fine but I can filtering traffic inside tunnel with PF.
> >> 
> >> pf.conf
> >> 
> >> ......
> >> 
> >> ipsec_if="gif0"
> >> 
> >> .......
> >> block in all
> >> block out all
> >> 
> >> ### EXT_IF_OUT
> >> 
> >> pass out log quick on $ext_if inet from ($ext_if) to any modulate state
> >> 
> >> ### EXT_IF_IN
> >> 
> >> pass in quick on $ext_if inet proto udp from $cisco to ($ext_if) port 500
> >> pass in quick on $ext_if inet proto {esp ah ipencap} from $cisco to ($ext_if)
> >> 
> >> ### IPSec VPN INTERFACE
> >> #pass in quick on $ipsec_if inet from any to $ipsec_if
> >> #pass out quick on $ipsec_if inet from $ipsec_if to any
> >> block quick on $ipsec_if
> >> 
> >> But I still ping the second point of IPSec tunnel.
> >> Where is my mistake?
> > 
> > IIRC you also need the following in your kernel config:
> > 
> > options         IPSEC_FILTERTUNNEL
> > 
> > (I think it used to be called IPSEC_FILTERGIF, depending on what
> > version of FreeBSD you're running)
> 
> 
> yes and there are sysctls these days:
> 
> net.inet.ipsec.filtertunnel: 1
> net.inet6.ipsec6.filtertunnel: 1
> 
  
   Thanks guys. It works fine!

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52623.1318395001.5638287628313755648>