Re: [m0n0wall] Re: IPsec WLAN to LAN without LAN acess

From:	Rolf Kutz <kutz at netcologne dot de>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Re: IPsec WLAN to LAN without LAN acess
Date:	Fri, 16 Dec 2005 12:36:26 +0100

* Quoting Chris Buechler (cbuechler at gmail dot com):
> On 12/15/05, Bob . <tempuserone at yahoo dot com> wrote:
> > Thanks for responding to my previous post.
> >
> > After reviewing the recommended post it appears the problem lies with IPFilter.  I was wondering
if PFsense (using openbsd's packet filter) has the same problem or would it be usable in the
configuration I outlined earlier.
> >
> 
> same issue, this is a freebsd and ipsec limitation, not related to
> what firewall you're using.

It's not an IPsec issue. It's possible to exclude
networks in the policies and have a setup like the
one desired. It's just not possible in the
m0n0wall ui. Btw. m0n0wall does this internally to
keep the webgui accessible:

$ setkey -DP
192.168.1.0/24[any] 192.168.1.1[any] any
	in none
	spid=29 seq=3 pid=3273
	refcnt=1
192.168.2.3[any] 192.168.1.0/24[any] any
	in ipsec
	esp/tunnel/192.168.2.3-192.168.2.1/unique#16400
	spid=32 seq=2 pid=3273
	refcnt=1
192.168.1.1[any] 192.168.1.0/24[any] any
	out none
	spid=30 seq=1 pid=3273
	refcnt=1
192.168.1.0/24[any] 192.168.2.3[any] any
	out ipsec
	esp/tunnel/192.168.2.1-192.168.2.3/unique#16399
	spid=31 seq=0 pid=3273
	refcnt=1

regards, Rolf