On Mon, 7 Apr 2003, ted jordan, jordanteam wrote:
...
5) kill isakmpd
...
Is it necessary to use
pfctl -F all
ipsecadm flush
after every test? Should I be flushing anything else?
If you just kill (or kill -TERM) isakmpd, it will send DELETE
notifications to the other side so that you will not need the ipsecadm
flush command. If you kill it with 'kill -KILL' (-9), isakmpd will not get
a chance to do this, and you will have to flush the flows manually.
# VPN settings per "man vpn"
# VPN isakmpd features
pass in proto esp from $gatewB to $gatewA
pass out proto esp from $gatewA to $gatewB
pass in on enc0 from $netB to $netA
pass out on enc0 from $netA to $netB
pass out on $ExtIF proto udp from $gatewA port = 500 to $gatewB port = 500
pass in proto udp from $gatewB to $gatewA port=500
pass out proto udp from $gatewA to $gatewB port=500
Looks pretty sane, although it may be that the enc0 rules need to permit
traffic from/to the other $gatew (as you get the decrypted, but still
encapsulated packets on this interface). I usually run with 'pass in on
enc0 all', so I have not tested this much.
I assume you use a 'block log all' default rule? You should get some hits
here is your rules block too much.
(The third last rule doesn't really help here, btw, as the last permits
similar (more) traffic).
/H
--
Håkan Olsson <ho_(_at_)_crt_(_dot_)_se> (+46) 708 437 337 Carlstedt Research
Unix, Networking, Security (+46) 31 701 4264 & Technology AB