Stephen Cimarelli wrote:
> I have managed to get IPsec+gif tunelling to work but am having trouble setting
> up firewal rules, it seem that recieved ESP packets pass through the firewall
> rule set  twice and  hit my natd divert rules.

Do you use IPsec tunnel mode, or IPsec transport mode + gif tunnels to do
the tunneling? Also, in the ipfw rules below, your "via" clauses reference
tun0, which is neither gif nor IPsec tunneling.

> Toget around this I had to add a rule like 00110 and 00115
> 
> 00001   150   20400 count esp from any to any
> 00010   150   20400 allow esp from any to any in recv tun0
> 00011     0       0 allow esp from any to any out xmit tun0
> 00110  1560  231661 allow ip from 192.168.0.0/16 to 192.168.0.0/16
> 00115     9     756 allow ip from 10.10.0.0/16 to 192.168.0.0/16 via tun0
> 00120  6193 2543953 divert 8668 tcp from any to any out xmit tun0
> 00120    15    1233 divert 8668 udp from any to any out xmit tun0
> 00120     0       0 divert 8668 icmp from any to any out xmit tun0
> 00121  6132 6364485 divert 8668 tcp from any to any in recv tun0
> 00121    16    3516 divert 8668 udp from any to any in recv tun0
> 00121    21    1764 divert 8668 icmp from any to any in recv tun0
-- 
Lars Eggert <[EMAIL PROTECTED]>                 Information Sciences Institute
http://www.isi.edu/larse/                University of Southern California

S/MIME Cryptographic Signature

Reply via email to