how to configure a FreeBSD firewall to pass IPSec?

[Danny Carroll]

> On Tue, 6 May 2003, Danny Carroll wrote:
> > FYI I have done this in ipfw/natd...  It's just as easy.  I think I only
added
> > one rule to my firewall and nothing to my natd.conf
> >
> > Now I can vpn from any machine on the internal lan to multiple vpn's.
> > If you want I can send you the ruleset.
>
> Please do!  I was just working up to converting, but if it works, this'll
> be much easier.
> Matt Piechota


Umm  I looked at my ruleset and I found nothing...
Then I remembered what I needed to do..

Basically 90% of the rulesets out there work on allowing IP and UDP
But since esp is a different protocol to IP, it gets dropped.

I think those that wanted my ruleset do not really need it...  Just look for
the lines that you have saying "allow ip from..." and add similar ones that
say "allow esp from" or change them to "allow tcp from"
That last one is what I have done and it occurs to me now that it might just
be a little to open...

So, here is the ruleset I would write for a standard home gateway with an
internal network of 192.168.100.x and an external IP address of 1.2.3.4
xl0 is the outside interface, xl1 is the inside.

Now, this minute, I have left my laptop at work so I have no way to test the
VPN, but I am pretty sure that normal udp/tcp keep state rules allow esp....

Someone hit me over the head if I have muddled this up...  It's a little late.

-D
p.s. Will send my ruleset if you *really* want it. But not to the list.