Re: IPSEC with PF - Please help.

---

• From: Mike Tancsa <mike@xxxxxxxxxx>
• Date: Tue, 03 Oct 2006 21:18:47 -0400

---

On Tue, 03 Oct 2006 13:28:40 +1000, Pet Farrari <pf@xxxxxxxxxxx>
wrote:

Thank you for the example. I will test it with the remote office tonight.
In terms of PF firewall work with IPSEC, do I still need to enable
pseudo-device enc when compiling the kernel?

Not if you do the ESP between the outside IP addresses on the GIF
interfaces. The VPN transformation is done on the IP-IP packets. They
are decapsulated after they get de-encrypted, and your pf rules will
apply on that.

If my router (10/8) host
many IPSEC connection, can I use enc device instead of creating
thousands of pass rules in PF?

I am not sure why would you need thousands of pass rules ? Also, note
what I said in the previous posting about having a 10/8 on one side of
your network. Hosts there will never get to your other network as
they will all think the IPs are local to their ethernet and never
bother going to your vpn router to get to the other side.

---Mike

Thanks
S

This should encrypt your traffic between your two public IP addresses.
Anything that you route through the GIF tunnel, will then get
encrypted. As always, verify with tcpdump to make sure it actually is

e.g. if your 2 internal networks are 192.168.0.0/24 (HQ) and
192.168.1.0/24 (RICK) (note, you cant have the same internal subnets
on either side) you can route them across the gif tunnel

---Mike

--------------------------------------------------------
Mike Tancsa, Sentex communications http://www.sentex.net
Providing Internet Access since 1994
mike@xxxxxxxxxx, (http://www.tancsa.com)

--------------------------------------------------------
Mike Tancsa, Sentex communications http://www.sentex.net
Providing Internet Access since 1994
mike@xxxxxxxxxx, (http://www.tancsa.com)
.

---

• Follow-Ups:
  • Re: IPSEC with PF - Please help.
    • From: Pet Farrari

• References:
  • IPSEC with PF - Please help.
    • From: Pet Farrari
  • Re: IPSEC with PF - Please help.
    • From: Mike Tancsa
  • Re: IPSEC with PF - Please help.
    • From: Pet Farrari

• Prev by Date: Re: Core2duo --> i386 vs. amd64
• Next by Date: device busy
• Previous by thread: Re: IPSEC with PF - Please help.
• Next by thread: Re: IPSEC with PF - Please help.
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: IPSEC with PF - Please help. ... In terms of PF firewall work with IPSEC, do I still need to enable pseudo-device enc when compiling the kernel? ... Mike Tancsa, Sentex communications http://www.sentex.net ... Providing Internet Access since 1994 ... (comp.unix.bsd.freebsd.misc) Re: DF (Dont frag) issues ... > setup with the gif tunnel (but no IPSec) and it works just fine for me. ... ipf/ipfw/pf and VPNs - to date I have used iptables and ... (freebsd-current) RE: Gif IPTunnel networkA-to-networkB not work ... > To: Oldach, Helge ... >> using IPSec your gif tunnel won't really be used. ... to set up a gif tunnel in order to set up a IPSec tunnel. ... (freebsd-net) more on IPSec + gif stalling ... I've done another test on the IPSec + gif issue. ... Set up IPSec rules for both machines, created a gif tunnel between both ... IPSec + gif - firewall = just works ... (freebsd-net) RE: Gif IPTunnel networkA-to-networkB not work ... >,since in the fbsd ... > handbooks said to make an encrypted section i must have the 2 networks ... IPSec your gif tunnel won't really be used. ... (freebsd-net)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Newsgroups  > comp.unix.bsd.freebsd.misc  > 2006-10