Stephen Cimarelli wrote:
> I have managed to get IPsec+gif tunelling to work but am having trouble setting
> up firewal rules, it seem that recieved ESP packets pass through the firewall
> rule set twice and hit my natd divert rules.
Do you use IPsec tunnel mode, or IPsec transport mode + gif tunnels to do
the tunneling? Also, in the ipfw rules below, your "via" clauses reference
tun0, which is neither gif nor IPsec tunneling.
> Toget around this I had to add a rule like 00110 and 00115
>
> 00001 150 20400 count esp from any to any
> 00010 150 20400 allow esp from any to any in recv tun0
> 00011 0 0 allow esp from any to any out xmit tun0
> 00110 1560 231661 allow ip from 192.168.0.0/16 to 192.168.0.0/16
> 00115 9 756 allow ip from 10.10.0.0/16 to 192.168.0.0/16 via tun0
> 00120 6193 2543953 divert 8668 tcp from any to any out xmit tun0
> 00120 15 1233 divert 8668 udp from any to any out xmit tun0
> 00120 0 0 divert 8668 icmp from any to any out xmit tun0
> 00121 6132 6364485 divert 8668 tcp from any to any in recv tun0
> 00121 16 3516 divert 8668 udp from any to any in recv tun0
> 00121 21 1764 divert 8668 icmp from any to any in recv tun0
--
Lars Eggert <[EMAIL PROTECTED]> Information Sciences Institute
http://www.isi.edu/larse/ University of Southern California
S/MIME Cryptographic Signature
