Okay, I see this bug as well. Will get it fixed soon.
Scott On 3/29/07, Scott Ullrich <[EMAIL PROTECTED]> wrote:
Okay, so that I am on the same page as you. Those $wan rules should have read $optX ?? Scott On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > Oops! Sorry for the double post. > > Vaughn L. Reid III wrote: > > Here is the relevant text of my rules.debug file. It looks like the > > interface on the connection "computer support" has the same interface > > as the rest of the tunnels. This is the test connection that should > > be using OPT3. > > > > # let out anything from the firewall host itself and decrypted IPsec > > traffic > > pass out quick on $lan proto icmp keep state label "let out anything > > from firewall host itself" > > pass out quick on $wan proto icmp keep state label "let out anything > > from firewall host itself" > > pass out quick on em1 all keep state label "let out anything from > > firewall host itself" > > # pass traffic from firewall -> out > > anchor "firewallout" > > pass out quick on em1 all keep state label "let out anything from > > firewall host itself" > > pass out quick on em0 all keep state label "let out anything from > > firewall host itself" > > pass out quick on em4 all keep state label "let out anything from > > firewall host itself" > > pass out quick on em2 all keep state label "let out anything from > > firewall host itself" > > pass out quick on $pptp all keep state label "let out anything from > > firewall host itself pptp" > > pass out quick on $enc0 keep state label "IPSEC internal host to host" > > > > # let out anything from the firewall host itself and decrypted IPsec > > traffic > > pass out quick on em4 proto icmp keep state label "let out anything > > from firewall host itself" > > pass out quick on em4 all keep state label "let out anything from > > firewall host itself" > > > > > > # VPN Rules > > pass out quick on $wan proto udp from 209.218.218.138 to > > 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 - > > outbound isakmp" > > pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138 > > port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp" > > pass out quick on $wan proto esp from 209.218.218.138 to > > 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp > > proto" > > pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138 > > keep state label "IPSEC: Fire Station 3 - inbound esp proto" > > pass out quick on $wan proto udp from 209.218.218.138 to > > 65.119.178.129 port = 500 keep state label "IPSEC: Street Department - > > outbound isakmp" > > pass in quick on $wan proto udp from 65.119.178.129 to 209.218.218.138 > > port = 500 keep state label "IPSEC: Street Department - inbound isakmp" > > pass out quick on $wan proto esp from 209.218.218.138 to > > 65.119.178.129 keep state label "IPSEC: Street Department - outbound > > esp proto" > > pass in quick on $wan proto esp from 65.119.178.129 to 209.218.218.138 > > keep state label "IPSEC: Street Department - inbound esp proto" > > pass out quick on $wan proto udp from 209.218.218.138 to > > 65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 - > > outbound isakmp" > > pass in quick on $wan proto udp from 65.119.178.154 to 209.218.218.138 > > port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp" > > pass out quick on $wan proto esp from 209.218.218.138 to > > 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp > > proto" > > pass in quick on $wan proto esp from 65.119.178.154 to 209.218.218.138 > > keep state label "IPSEC: Fire Station 2 - inbound esp proto" > > pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14 > > port = 500 keep state label "IPSEC: EMS Building - outbound isakmp" > > pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138 > > port = 500 keep state label "IPSEC: EMS Building - inbound isakmp" > > pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14 > > keep state label "IPSEC: EMS Building - outbound esp proto" > > pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138 > > keep state label "IPSEC: EMS Building - inbound esp proto" > > pass out quick on $wan proto udp from 209.218.218.138 to 70.237.44.110 > > port = 500 keep state label "IPSEC: Computer Support - outbound isakmp" > > pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138 > > port = 500 keep state label "IPSEC: Computer Support - inbound isakmp" > > pass out quick on $wan proto esp from 209.218.218.138 to 70.237.44.110 > > keep state label "IPSEC: Computer Support - outbound esp proto" > > pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138 > > keep state label "IPSEC: Computer Support - inbound esp proto" > > > > pass in quick on em0 inet proto tcp from any to $loopback port 8021 > > keep state label "FTP PROXY: Allow traffic to localhost" > > pass in quick on em0 inet proto tcp from any to $loopback port 21 keep > > state label "FTP PROXY: Allow traffic to localhost" > > pass in quick on em1 inet proto tcp from port 20 to (em1) port > 49000 > > user proxy flags S/SA keep state label "FTP PROXY: PASV mode data > > connection" > > # enable ftp-proxy > > pass in quick on em4 inet proto tcp from any to $loopback port 8022 > > keep state label "FTP PROXY: Allow traffic to localhost" > > pass in quick on em4 inet proto tcp from any to $loopback port 21 keep > > state label "FTP PROXY: Allow traffic to localhost" > > > > Vaughn > > > > > > Scott Ullrich wrote: > >> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > >>> I didn't get the request, but I'll be happy check to see if rules are > >>> being added. Should I remove the manual rules that I created first > >>> before checking? > >> > >> Yes, please. Then open up /tmp/rules.debug and look for "VPN > >> Rules".. Below that marker is the system generated IPSEC rules. Do > >> you see entries for the OPT interface? > >> > >> Scott > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]