IPsec and firewall

[jhirth]

I've got a working ipsec tunnel between untangle and a sonicwall box at a client.

I'm wondering, as the person posting here:
24908-destination-networks.html#post146477 (sorry can't post links)
also did, how I can apply firewall rules to traffic on the ipsec tunnel? It all seems to be bypassed.

Thanks
JYH

[dmorris]

All IPsec tunnel traffic is bypassed. You can use packet filter if you want, but the firewall app won't see any of the traffic coming out of the tunnel.

[sky-knight]

Facinating.

OpenVPN traffic is subject to the firewall, a fact I exploit the crap out of every day. So IPSec is bypassed... but IPSec is working with Bandwidth Control, when OpenDNS does not.

We have a nice web of feature mesh.

[jhirth]

All IPsec tunnel traffic is bypassed. You can use packet filter if you want, but the firewall app won't see any of the traffic coming out of the tunnel.

Can I disable the bypass by unchecking the "Bypass IPsec VPN traffic" system bypass rule?

Going the packet filter route,I just tested that and couldn't get it to work. I set a filter to reject traffic with a source address of the remote lan and a specified destination port. The traffic still gets through.

JYH

[sky-knight]

I think that packet filter rule has to do with the tunnel traffic, not the traffic within the tunnel.

[dmorris]

Can I disable the bypass by unchecking the "Bypass IPsec VPN traffic" system bypass rule?

That applies to IPsec traffic going *through* untangle.

The stuff ending at untangle is automatically bypassed.
You can disable that by editing bypass-rules by hand, but then your IPsec traffic won't pass at all.

[jhirth]

OK, so getting back to the packet filter idea ...

How do I specify a packet filter that applies to traffic traversing the tunnel? The only way I can see to specify it is by specifying the remote network and that didn't work.

[dmorris]

I don't know without looking at your rule and knowing more about your network.
Call support if you have live support.