Filtering inside IPSec tunnel

Tue Oct 11 20:24:44 UTC 2011

On 11. Oct 2011, at 19:37 , Michael Proto wrote:

> 2011/10/11 Виталий Владимирович <artemrts at ukr.net>:
>> 
>>  I have the IPSec tunnel FreeBSD <-> CISCO. Tunnel works fine but I can filtering traffic inside tunnel with PF.
>> 
>> pf.conf
>> 
>> ......
>> 
>> ipsec_if="gif0"
>> 
>> .......
>> block in all
>> block out all
>> 
>> ### EXT_IF_OUT
>> 
>> pass out log quick on $ext_if inet from ($ext_if) to any modulate state
>> 
>> ### EXT_IF_IN
>> 
>> pass in quick on $ext_if inet proto udp from $cisco to ($ext_if) port 500
>> pass in quick on $ext_if inet proto {esp ah ipencap} from $cisco to ($ext_if)
>> 
>> ### IPSec VPN INTERFACE
>> #pass in quick on $ipsec_if inet from any to $ipsec_if
>> #pass out quick on $ipsec_if inet from $ipsec_if to any
>> block quick on $ipsec_if
>> 
>> But I still ping the second point of IPSec tunnel.
>> Where is my mistake?
> 
> IIRC you also need the following in your kernel config:
> 
> options         IPSEC_FILTERTUNNEL
> 
> (I think it used to be called IPSEC_FILTERGIF, depending on what
> version of FreeBSD you're running)


yes and there are sysctls these days:

net.inet.ipsec.filtertunnel: 1
net.inet6.ipsec6.filtertunnel: 1

/bz


-- 
Bjoern A. Zeeb                                 You have to have visions!
         Stop bit received. Insert coin for new address family.