I have IPSEC tunnel working on my OpenBSD 3.2. However interface 'enc0' is
down and does not have address assigned to it. Is it normal? ipsec(4) man
page mentions that I could assign NAT rules to it.
I'm using OBSD 3.0 with pf, nat and isakmpd
All works fine, but I'm tightening up my rules.
My default rules block in and out on all interfaces (internal, external and
dmz) I then proceed to open things up.
My problem comes from my vpn connections using enc0
I allow in from any to internal network on enc0:
Pass in quick on enc0 from any to $int_net keep state
but I also need to allow those connections to pass out on my internal
interface. I currently just allow from any - hoping that my external
interface rules are blocking all inbound - so any traffic would implicitly
be coming from enc0.
I hate leaving rules as implicit - since I have a number of sites, using
private ips, I'd rather not have to maintain a bunch of rules for each of
those sites' address ranges. Is there any easier way to specify that things
going out the internal interface can only come from enc0? Since enc0 is
virtual and has no ip, I can't do:
Pass out quick on $int_if from enc0 to $int_net keep state
So I currently have:
Pass out quick on $int_if from any to $int_net keep state