Date: Mon, 26 Aug 2002 15:01:31 +0200 From: Maikel Verheijen <maikel@ladot.com> To: "'stable@freebsd.org'" <stable@freebsd.org> Subject: Racoon - ipsec solved! - filtering question. Message-ID: <410777FC7A66D511911500B0D0783455013CF298@nlladot05.intern.ladot.com>
next in thread | raw e-mail | index | archive | help
Hi List,
With the help of someone on the list (I don't know if this person wants to
be named), I resolved my subnet problem.
My problem was that I was defining multiple SA's to one peer, and my setup
was "requiring" only one for the tunnel. If I make the sa's "unique", it
will create both sa's to the PIX. My fixed ipsec.conf is below.
My current problem is that I cannot filter my gateway host when packets come
out of the IPSEC tunnel. I CAN filter my LAN(the local internal range), but
NOT the internal ip number on my gateway. Does anyone have tackled this?
So my /etc/ipsec.conf lines are now:
spdadd [internal range]/[internal bits] [remote range]/[remote bits] any -P
out ipsec esp/tunnel/[local external ip]-[remote external ip]/unique;
spdadd [remote range]/[remote bits] [local range]/[local bits] any -P in
ipsec esp/tunnel/[remote external ip]-[local external ip]/unique;
spdadd [internal range]/[internal bits] [second remote range]/[second remote
bits] any -P out ipsec esp/tunnel/[local external ip]-[remote external
ip]/unique;
spdadd [second remote range]/[remote bits] [local range]/[local bits] any -P
in ipsec esp/tunnel/[remote external ip]-[local external ip]/unique;
Kind regards,
Maikel Verheijen
It is a book about a Spanish guy called Manual. You should read it.
-- Dilbert
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?410777FC7A66D511911500B0D0783455013CF298>