-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We have a working firewall with multiple esp tunnels.
To this machine we want to add the ability to filter the emergent, decrypted packets. We are running 7.1-RELEASE-p2 Does filtering require both the IPSEC_FILTERTUNNEL and the enc device? Or are these 2 separate approaches to the same problem. We cannot get the firewall to "accept" decrypted packets in. With a ping running from tunneled network to tunneled network, tcpdump shows esp packets leaving the firewall. At the remote end tcpdump shows icmp echo requests and echo replies on the internal interface and it also shows bi-directional esp traffic on the external interface. However, on the originating firewall tcpdump shows none of the esp reply packets. All the firewall deny rules have logging enabled. Nothing appears in the log. So as far as we can tell ipfw is not blocking anything. enc0 has been ifconfig'ed "up"; and the enc sysctl flags have been set as suggested in enc(4). tcpdump on enc0 on the originating machine shows the icmp echo requests going out. ipfw has an explicit "allow ip from any to any" on enc0 which is not getting any hits. We have tried this both with and without enc and IPSEC_FILTERTUNNEL in all various permutations with basically the same results. If we recompile and remove both the enc device and the IPSEC_FILTERTUNNEL option, the tunnel works fine. Any thots? RTFM is a welcome suggestion; but none of the man pages really seem to cover this and we have had little luck with Google. Thank you for your time. - -- Eric W. Bates er...@vineyard.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmR5JYACgkQD1roJTQ4LlGeMQCgmeEd0H5qVFqKtYl9XHSndR12 5LoAoIBTf3DlqKXh3aLId/8U81/uzPWA =NMIE -----END PGP SIGNATURE----- _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
