Date: Thu, 21 Nov 2002 16:04:28 +0100 (CET) From: "Patrick M. Hausen" <hausen@punkt.de> To: David Kelly <dkelly@hiwaay.net> Cc: "Patrick M. Hausen" <hausen@punkt.de>, Helge Oldach <freebsd-stable-21nov02@oldach.net>, archie@dellroad.org, guido@gvr.org, sullrich@CRE8.COM, greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS Message-ID: <200211211504.gALF4Sej086710@hugo10.ka.punkt.de> In-Reply-To: <20021121145332.GA57883@grumpy.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! > Glad I didn't know this in advance as that is exactly what I believe I > have. Two FreeBSD systems, one on each end connected to cable modem. > About 8 machines behind one on 192.168.100.0/24 and 10 or 15 behind the > other on 10.0.0.0/24. An ESP tunnel between. ;-) > Other than my decrypted packets have started appearing to ipfw as if > they were coming from fxp1 (which is what started this mess) everything > else is working just fine. It is only filtering the decrypted packets that I'm talking about all the time. It's impossible to build a filter that says: - ESP from my peer is OK - 10... to 192.168... is OK if it's coming out of the ESP tunnel - 10... to 192.168... is _not_ OK if it's coming in my external IF in plain text If you want to allow the derypted traffic in, you have to allow all traffic with identical addresses, even if it hasn't arrived through the ESP tunnel but just came to the outside IF of your network by some other route. Regards, Patrick M. Hausen Technical Director -- punkt.de GmbH Internet - Dienstleistungen - Beratung Scheffelstr. 17 a Tel. 0721 9109 -0 Fax: -100 76135 Karlsruhe http://punkt.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211211504.gALF4Sej086710>