[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf does not pass esp?
On Thu, 21 Mar 2002 10:15:02 +0100
"Arvid Grøtting" <arvidg@netfonds.no> hit the keyboard and punched:
> Rickard Borgmäster <doktorn@realworld.nu> writes:
>
> > Does this mean, that I cannot use ESP on a machine located behind the
> > OpenBSD PF firewall?
>
> No; you can, but the machine must have an official IP address. (More
> precisely, it must have the same address on both sides of the PF
> firewall.)
Maybe I'm affected by this afterall... this is my setup:
W2K-Client FreeBSD OpenBSD Mailserver
<10.0.8.17>---<130.236.218.63>---(inet)---<213.88.128.173>--<10.0.0.1>
nat:ed net ipfilter/ipnat alias: binated to:
213.88.128.161
213.88.128.161
I use isakmpd for this. On the FreeBSD gw I have set remote network to
213.88.128.160/28.
The tunnels tied together are 10.0.8.16/28 <-> 213.88.128.160/28. A more
common setup would be 10.0.8.16/28 <-> 10.0.0.0/24. But I do not want to
tunnel like that, since the FreeBSD nameserver doesn't know of 10.0.0.0/24
addresses.
>From W2K-Client I can ping mailserver. However, it seems as the OpenBSD
box does the reply. If I telnet port 25 on mailserver, I reach OpenBSD
sendmail instead of the mailserver on 10.0.0.1 :-(
--
Rickard
.--. .--.
.----------------------------------------. | | | | .-.
| Rickard Borgmäster | | | | |/ /
| doktorn@sub.nu | .-^ | .--. | <
| http://doktorn.sub.nu/ | ( o | ( () ) | |\ \
`----------------------------------------' `-----' `--' `--' `--'