From owner-freebsd-pf@FreeBSD.ORG Tue Oct 11 18:57:16 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E69B1065670 for ; Tue, 11 Oct 2011 18:57:16 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe11.ukr.net (ffe11.ukr.net [195.214.192.31]) by mx1.freebsd.org (Postfix) with ESMTP id 5426E8FC0C for ; Tue, 11 Oct 2011 18:57:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Date:Message-Id:From:To:Subject:Content-Type:Content-Transfer-Encoding:MIME-Version; bh=dPiPf3SRc+bdrZ6GnZlxkFaLS50S2X00vT0WMpDUa/c=; b=qcKjc3YrA/smaJOL4O1dk9EVeKkZqk9HI4wDMgg4i3hsRzjBc5zt7bDxjebC3A3zZMVQjzyxMQ8KkRDHSbKR2cSiAbrMRwZrGYGpGXAZ7xW+uYVb7N6K0eVEFLZnMPpP2QSp++YZ/bgEkgbf/VPfBF3ymnsAH2dYo9xePYKjoBk=; Received: from mail by ffe11.ukr.net with local ID 1RDhG8-000OwU-FJ for freebsd-pf@FreeBSD.org; Tue, 11 Oct 2011 21:41:00 +0300 MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain; charset="windows-1251" To: freebsd-pf@FreeBSD.org From: =?WINDOWS-1251?B?wujy4Ovo6SDC6+Dk6Ozo8O7i6Pc=?= X-Mailer: freemail.ukr.net 4.0 X-Originating-Ip: [195.200.251.65] Message-Id: <94876.1318358460.12206338191212019712@ffe11.ukr.net> X-Browser: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 Date: Tue, 11 Oct 2011 21:41:00 +0300 Cc: Subject: Filtering inside IPSec tunnel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2011 18:57:16 -0000 I have the IPSec tunnel FreeBSD <-> CISCO. Tunnel works fine but I can filtering traffic inside tunnel with PF. pf.conf ...... ipsec_if="gif0" ....... block in all block out all ### EXT_IF_OUT pass out log quick on $ext_if inet from ($ext_if) to any modulate state ### EXT_IF_IN pass in quick on $ext_if inet proto udp from $cisco to ($ext_if) port 500 pass in quick on $ext_if inet proto {esp ah ipencap} from $cisco to ($ext_if) ### IPSec VPN INTERFACE #pass in quick on $ipsec_if inet from any to $ipsec_if #pass out quick on $ipsec_if inet from $ipsec_if to any block quick on $ipsec_if But I still ping the second point of IPSec tunnel. Where is my mistake?