routing gif0 ipsec

Nicolas de Bari Embriz Garcia Rojas nbari at k9.cx
Tue Apr 29 18:18:15 UTC 2008 

Hi all, the solution to my problem was to recompile the kernel with  
this option:

#options IPSEC_FILTERGIF

now i can route/nat trafic with pf with out any problems, hope this  
can help some one.

regards


>
>
> Nicolas de Bari Embriz Garcia Rojas schreef:
>> Hi all, I am trying to all trafic from a gif0 interface used for a  
>> vpn to an public IP on the same server that is like an alias
>> I have the following schema (FreeBSD 6.3)
>> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>>     tunnel inet 67.228.79.224 --> 74.86.163.16
>>     inet 172.16.224.1 --> 172.16.16.1 netmask 0xffffffff
>> em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>>     options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
>>     inet 67.228.78.162 netmask 0xfffffff8 broadcast 67.228.78.167
>>     inet 67.228.79.224 netmask 0xffffffff broadcast 67.228.79.224
>> The VPN from point 172.16.224.1 --> 172.16.16.1 works, I can ping/ 
>> telnet to 172.16.16.1 and get a response.
>> The jail is running on IP 67.228.79.224 (same IP used for doing the  
>> VPN/IPSEC) but if I log int to that jail (jexec 1 csh) I can not  
>> ping 172.16.16.1
>> currently I  am trying this with pf
>> -- 
>> nat pass on gif0 from 67.228.79.224 to 172.16.16.1 -> 172.16.224.1
>> rdr pass on gif0 proto tcp from any to any port 80 -> 67.228.79.224
>> pass in log from any to any keep state
>> pass out log from any to any keep state
>> -- 
>> but is not working, from the jail (67.228.79.224) I can not ping/ 
>> telnet the VPN 172.16.16.1
>> there is a tool call jumpgate with the one I can redirect incoming  
>> tcp to gif0 and forward trafic to em1 with out problems, but  
>> instead I would like to use pf
>> jumpgate -b 172.16.224.1 -l 80 -r 80 -a 67.228.79.224
>> with this i can telnet from the other end point to por 80 and i can  
>> forward the connection to the public IP of the jail through the vpn  
>> tunnel.
>> any ideas on how to solve this issue using pf or maybe some routing  
>> rules.
>> regards.
>> _______________________________________________
>> freebsd-pf at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list