[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN client cannot connect through OpenBSD router/firewall



Michael Erdely wrote:
You're doing a "block all" and then aren't allowing esp traffic out.
Try adding the following with your tcp, udp and icmp pass out rules:
pass out $log_flg on $ext_if proto esp all keep state

When troubleshooting something like this, it may be useful to to add
"log" to your default block rule so you'll at least see what's being
dropped.

Thank you very much for the advice. This worked like a charm. How did you know, or better yet, how could I have known that I needed to pass out the esp protocol? By seeing what was dropped?


rvb

PS - Apologies for cross-posting to the newbie list. I thought my email to the pf list didn't get through. Also, much thanks to everyone else for their responses. I will keep them on file because I think they'll be needed if I'm setting up my own VPN solution and/or need more granularity in my rule set.