[vpn-help] Policy configuration
Matthew Grooms
mgrooms at shrew.net
Tue Mar 14 03:57:29 CST 2006
Michael Ragusa wrote:
> Matthew Grooms wrote:
>
> FreeBSD lance.ai.net 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #0: Sun Feb
> 12 17:46:15 EST 2006 ainet@:/usr/obj/usr/src/sys/ROUTER i386
>
> my pf rules are
> # IPSEC options
> pass in quick proto esp from any to any
> pass in quick proto ah from any to any
> pass in quick proto ipencap from any to any
> pass in quick proto udp from any to any port = 4500
> pass in quick proto udp from any port = 500 to any port = 500
> pass in quick on gif0 from any to any
> pass out quick proto esp from any to any
> pass out quick proto ah from any to any
> pass out quick proto ipencap from any to any
> pass out quick proto udp from any to any port = 4500
> pass out quick proto udp from any port = 500 to any port = 500
> pass out quick on gif0 from any to any
>
> the esp packets get sent from the client but nothing comes back from the
> gateway
>
Ahh, I am a FreeBSD/pf man myself :) I would add something like ...
# allow remote vpn clients to the office
pass quick from 10.246.37.0/24 to 10.246.38.0/24 keep state
# allow the office to remote vpn clients
pass quick from 10.246.38.0/24 to 10.246.37.0/24 keep state
and then reload the ruleset. Let me know how it goes.
-Matthew
More information about the vpn-help
mailing list