From owner-freebsd-stable Mon Aug 26 6: 6:35 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D7B637B400 for ; Mon, 26 Aug 2002 06:06:32 -0700 (PDT) Received: from zeus.ladot.com (office.ladot.com [217.22.64.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C00143E42 for ; Mon, 26 Aug 2002 06:06:31 -0700 (PDT) (envelope-from maikel@ladot.com) Received: from nlladot05.freehosting (nlladot05.intern.ladot.com [172.31.2.13]) by zeus.ladot.com (8.12.4/8.12.4) with ESMTP id g7QDC6ma019369 for ; Mon, 26 Aug 2002 15:12:06 +0200 (CEST) (envelope-from maikel@ladot.com) Received: by nlladot05.intern.ladot.com with Internet Mail Service (5.5.2653.19) id ; Mon, 26 Aug 2002 15:01:32 +0200 Message-ID: <410777FC7A66D511911500B0D0783455013CF298@nlladot05.intern.ladot.com> From: Maikel Verheijen To: "'stable@freebsd.org'" Subject: Racoon - ipsec solved! - filtering question. Date: Mon, 26 Aug 2002 15:01:31 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi List, With the help of someone on the list (I don't know if this person wants to be named), I resolved my subnet problem. My problem was that I was defining multiple SA's to one peer, and my setup was "requiring" only one for the tunnel. If I make the sa's "unique", it will create both sa's to the PIX. My fixed ipsec.conf is below. My current problem is that I cannot filter my gateway host when packets come out of the IPSEC tunnel. I CAN filter my LAN(the local internal range), but NOT the internal ip number on my gateway. Does anyone have tackled this? So my /etc/ipsec.conf lines are now: spdadd [internal range]/[internal bits] [remote range]/[remote bits] any -P out ipsec esp/tunnel/[local external ip]-[remote external ip]/unique; spdadd [remote range]/[remote bits] [local range]/[local bits] any -P in ipsec esp/tunnel/[remote external ip]-[local external ip]/unique; spdadd [internal range]/[internal bits] [second remote range]/[second remote bits] any -P out ipsec esp/tunnel/[local external ip]-[remote external ip]/unique; spdadd [second remote range]/[remote bits] [local range]/[local bits] any -P in ipsec esp/tunnel/[remote external ip]-[local external ip]/unique; Kind regards, Maikel Verheijen It is a book about a Spanish guy called Manual. You should read it. -- Dilbert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message