IPSEC Site-to-site VPN firewall

From:	Angus Jordan <angus dot jordan at gmail dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	IPSEC Site-to-site VPN firewall
Date:	Wed, 26 Jan 2005 16:22:44 -0800

Hello all,

I sent this message yesterday but didn't get a reply.  Perhaps it was
missed.  I will ask the question again:
 
On my production FreeBSD VPN machine I am running ipfw as the
firewall.  I have about 6 site-to-site vpn's going in and out of this
box.  They are all attached to external clients
that I don't really want to give total access to my network.  I would
like to replace this box with m0n0wall.

From the documentation on m0n0wall, I've gleaned that you cannot use
the firewall to limit access to specific machines if using the IPSEC
vpn.  This seems strange to me, as I've beeing doing this for ages.

I used the /exec.php page to load the ipfw module, and did some tests
of my own.  It seems that ipfw can block this access just fine.  Is
there no way at all of having ipfilter do the same thing?  I was using
a rule in ipfw such as this:

ipfw add allow all from 10.2.1.5 to 10.3.1.7
ipfw add deny all from 10.2.0.0/16 to any

This seems to block the traffic just fine.  Is there a workaround to
make ipfilter work like this?

Any input is appreciated.

Thanks,
Angus