Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSEC filtering now present in recent snapshots

    IPsec
    3
    8
    2675
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sullrich last edited by

      HEADS UP!

      IPSEC Filtering is now present in the 1.0.X branch first appearing in
      todays snapshot.

      By default on upgrade we will install a default PASS rule for the
      IPSEC interface to permit traffic.  So basically anyone upgrading will
      not see a difference.  However, you can edit the default rule and
      introduce fine grain control of the IPSEC tunnels if you wish.

      The feature will appear in todays snapshot which is currently building
      located at http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/

      Have fun!

      1 Reply Last reply Reply Quote 0
      • E
        eskild last edited by

        HI Scott, the filtering is most welcome.
        I have tested the filtering through IPSEC tunnels on 1.0.1-SNAPSHOT-03-15-2007, and after rejecting any -any in IPSEC rules, i can still send traffic through the tunnels.

        Are the filtering just for Mobile clients or should the tunnels be filtered too?

        Thanks,
        Eskild

        1 Reply Last reply Reply Quote 0
        • H
          hoba last edited by

          A new ruleset is only applied for new connections. If there are old states they will still be allowed until they are closed or time out. Make sure you don't test with old states (maybe do a diagnostisc>states, reset states).

          1 Reply Last reply Reply Quote 0
          • E
            eskild last edited by

            I did reset the states, delete both IPSEC SA, but i can still ping a host at the remote site.

            //Eskild




            1 Reply Last reply Reply Quote 0
            • H
              hoba last edited by

              This is for incoming traffic. Traffic that is sent from the remote end to you through the tunnel. If you have a pass any rule at lan it alows traffic to go into the tunnel fo course. You have to test this coming from the m0n0 end pinging through the tunnel.

              1 Reply Last reply Reply Quote 0
              • E
                eskild last edited by

                I just noticed that. Thanks, i'll keep that in mind.

                Cheers,
                //Eskild

                1 Reply Last reply Reply Quote 0
                • H
                  hoba last edited by

                  So it is working correctly now?

                  1 Reply Last reply Reply Quote 0
                  • E
                    eskild last edited by

                    Yes, perfect.
                    Thanks.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy