Project

General

Profile

Actions

Bug #5500

closed

IPsec won't create firewall rules when you use an IP Alias on "Interface"

Added by Heiler Bemerguy over 8 years ago. Updated about 8 years ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
11/20/2015
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

Set interface to an IP Alias:
[2.2.5-RELEASE]/root: pfctl -sr |grep -i ipsec
anchor "ipsec/*" all
pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"

Set interface to an interface "name" (like WAN, LAN)
[2.2.5-RELEASE]/root: pfctl -sr | grep -i ipsec
anchor "ipsec/*" all
pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
pass out route-to (vmx2 201.72.x.x) inet proto udp from (self) to 170.66.x.x port = isakmp keep state label "IPsec: Acesso BB - outbound isakmp"
pass in on vmx2 reply-to (vmx2 201.72.x.x) inet proto udp from 170.66.x.x to (self) port = isakmp keep state label "IPsec: Acesso BB - inbound isakmp"
pass out route-to (vmx2 201.72.x.x) inet proto udp from (self) to 170.66.x.x port = sae-urn keep state label "IPsec: Acesso BB - outbound nat-t"
pass in on vmx2 reply-to (vmx2 201.72.x.x) inet proto udp from 170.66.x.x to (self) port = sae-urn keep state label "IPsec: Acesso BB - inbound nat-t"
pass out route-to (vmx2 201.72.x.x) inet proto esp from (self) to 170.66.x.x keep state label "IPsec: Acesso BB - outbound esp proto"
pass in on vmx2 reply-to (vmx2 201.72.x.x) inet proto esp from 170.66.x.x to (self) keep state label "IPsec: Acesso BB - inbound esp proto"

Actions

Also available in: Atom PDF