If this is working it would be a great step a head :) -----Oorspronkelijk bericht----- Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED] Verzonden: vrijdag 30 maart 2007 1:08 Aan: support@pfsense.com Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems
Have the IPSEC changes been committed and built yet? I'm looking at the update files, and they all still say March 27 2007. I'm using this repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ Should I be looking somewhare else for the update with the IPSEC fix? Thanks, Vaughn On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III" <[EMAIL PROTECTED]> said: > Thanks for your hard work. I appreciate it and I'm sure my customers > do too. > > Vaughn > > Vaughn L. Reid III wrote: > > The ones ones that say Computer Support are from the test tunnel > > that I created to use OPT2. > > > > The interfaces on this machine are labeled like this: > > > > LAN => em0 > > WAN => em1 > > ATTDSL => em4 -- This is the OPT interface that I was using for the > > Computer Support VPN test wireless => em2 > > > > Vaughn > > > > Scott Ullrich wrote: > >> Okay, so that I am on the same page as you. Those $wan rules > >> should have read $optX ?? > >> > >> Scott > >> > >> > >> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > >>> Oops! Sorry for the double post. > >>> > >>> Vaughn L. Reid III wrote: > >>> > Here is the relevant text of my rules.debug file. It looks like > >>> > the interface on the connection "computer support" has the same > >>> > interface as the rest of the tunnels. This is the test > >>> > connection that should be using OPT3. > >>> > > >>> > # let out anything from the firewall host itself and decrypted > >>> > IPsec traffic pass out quick on $lan proto icmp keep state label > >>> > "let out anything from firewall host itself" > >>> > pass out quick on $wan proto icmp keep state label "let out > >>> > anything from firewall host itself" > >>> > pass out quick on em1 all keep state label "let out anything > >>> > from firewall host itself" > >>> > # pass traffic from firewall -> out anchor "firewallout" > >>> > pass out quick on em1 all keep state label "let out anything > >>> > from firewall host itself" > >>> > pass out quick on em0 all keep state label "let out anything > >>> > from firewall host itself" > >>> > pass out quick on em4 all keep state label "let out anything > >>> > from firewall host itself" > >>> > pass out quick on em2 all keep state label "let out anything > >>> > from firewall host itself" > >>> > pass out quick on $pptp all keep state label "let out anything > >>> > from firewall host itself pptp" > >>> > pass out quick on $enc0 keep state label "IPSEC internal host to > >>> host" > >>> > > >>> > # let out anything from the firewall host itself and decrypted IPsec > >>> > traffic > >>> > pass out quick on em4 proto icmp keep state label "let out anything > >>> > from firewall host itself" > >>> > pass out quick on em4 all keep state label "let out anything from > >>> > firewall host itself" > >>> > > >>> > > >>> > # VPN Rules > >>> > pass out quick on $wan proto udp from 209.218.218.138 to > >>> > 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 - > >>> > outbound isakmp" > >>> > pass in quick on $wan proto udp from 65.119.178.137 to > >>> 209.218.218.138 > >>> > port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp" > >>> > pass out quick on $wan proto esp from 209.218.218.138 to > >>> > 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp > >>> > proto" > >>> > pass in quick on $wan proto esp from 65.119.178.137 to > >>> 209.218.218.138 > >>> > keep state label "IPSEC: Fire Station 3 - inbound esp proto" > >>> > pass out quick on $wan proto udp from 209.218.218.138 to > >>> > 65.119.178.129 port = 500 keep state label "IPSEC: Street > >>> Department - > >>> > outbound isakmp" > >>> > pass in quick on $wan proto udp from 65.119.178.129 to > >>> 209.218.218.138 > >>> > port = 500 keep state label "IPSEC: Street Department - inbound > >>> isakmp" > >>> > pass out quick on $wan proto esp from 209.218.218.138 to > >>> > 65.119.178.129 keep state label "IPSEC: Street Department - outbound > >>> > esp proto" > >>> > pass in quick on $wan proto esp from 65.119.178.129 to > >>> 209.218.218.138 > >>> > keep state label "IPSEC: Street Department - inbound esp proto" > >>> > pass out quick on $wan proto udp from 209.218.218.138 to > >>> > 65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 - > >>> > outbound isakmp" > >>> > pass in quick on $wan proto udp from 65.119.178.154 to > >>> 209.218.218.138 > >>> > port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp" > >>> > pass out quick on $wan proto esp from 209.218.218.138 to > >>> > 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp > >>> > proto" > >>> > pass in quick on $wan proto esp from 65.119.178.154 to > >>> 209.218.218.138 > >>> > keep state label "IPSEC: Fire Station 2 - inbound esp proto" > >>> > pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14 > >>> > port = 500 keep state label "IPSEC: EMS Building - outbound isakmp" > >>> > pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138 > >>> > port = 500 keep state label "IPSEC: EMS Building - inbound isakmp" > >>> > pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14 > >>> > keep state label "IPSEC: EMS Building - outbound esp proto" > >>> > pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138 > >>> > keep state label "IPSEC: EMS Building - inbound esp proto" > >>> > pass out quick on $wan proto udp from 209.218.218.138 to > >>> 70.237.44.110 > >>> > port = 500 keep state label "IPSEC: Computer Support - outbound > >>> isakmp" > >>> > pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138 > >>> > port = 500 keep state label "IPSEC: Computer Support - inbound > >>> isakmp" > >>> > pass out quick on $wan proto esp from 209.218.218.138 to > >>> 70.237.44.110 > >>> > keep state label "IPSEC: Computer Support - outbound esp proto" > >>> > pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138 > >>> > keep state label "IPSEC: Computer Support - inbound esp proto" > >>> > > >>> > pass in quick on em0 inet proto tcp from any to $loopback port 8021 > >>> > keep state label "FTP PROXY: Allow traffic to localhost" > >>> > pass in quick on em0 inet proto tcp from any to $loopback port 21 > >>> keep > >>> > state label "FTP PROXY: Allow traffic to localhost" > >>> > pass in quick on em1 inet proto tcp from port 20 to (em1) port > > >>> 49000 > >>> > user proxy flags S/SA keep state label "FTP PROXY: PASV mode data > >>> > connection" > >>> > # enable ftp-proxy > >>> > pass in quick on em4 inet proto tcp from any to $loopback port 8022 > >>> > keep state label "FTP PROXY: Allow traffic to localhost" > >>> > pass in quick on em4 inet proto tcp from any to $loopback port 21 > >>> keep > >>> > state label "FTP PROXY: Allow traffic to localhost" > >>> > > >>> > Vaughn > >>> > > >>> > > >>> > Scott Ullrich wrote: > >>> >> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> > >>> wrote: > >>> >>> I didn't get the request, but I'll be happy check to see if > >>> rules are > >>> >>> being added. Should I remove the manual rules that I created first > >>> >>> before checking? > >>> >> > >>> >> Yes, please. Then open up /tmp/rules.debug and look for "VPN > >>> >> Rules".. Below that marker is the system generated IPSEC rules. Do > >>> >> you see entries for the OPT interface? > >>> >> > >>> >> Scott > >>> >> > >>> >> > >>> --------------------------------------------------------------------- > >>> >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >>> >> For additional commands, e-mail: [EMAIL PROTECTED] > >>> >> > >>> > > >>> > --------------------------------------------------------------------- > >>> > To unsubscribe, e-mail: [EMAIL PROTECTED] > >>> > For additional commands, e-mail: [EMAIL PROTECTED] > >>> > > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >>> For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > -- Vaughn L. Reid III [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
