Once an IPSec tunnel has been created between two hosts, the appropriate IP traffic must be directed through it. This is done by setting up special packet filter rules (referred to as tunnel rules) which apply to traffic transmitted between the two hosts.
A tunnel rule uses the same general syntax as a normal 'permit' rule, with one additional parameter: the tunnel parameter, which must be set to the local ID number of the tunnel being used.
The typical configuration will simply direct all IP traffic between the
two hosts through the tunnel. Note that rules are required for both directions
of traffic:
permit <local ip> <local mask> <partner ip> <partner mask> all any 0 any 0 <interface> <routing> outbound t=<tunnel>
permit <partner ip> <partner mask> <local ip> <local mask> all any 0 any 0 <interface> <routing> inbound t=<tunnel>
Unlike a normal rule, a tunnel rule does not permit or deny traffic, but simply directs the matching traffic through the IPSec tunnel with the specified ID number. This means that additional rules must also be configured in order to permit the necessary IP traffic.
On a system where all IP traffic is permitted by default, the final rule
would be:
permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 all any 0 any 0 both both both
and no further rules would be required.
Otherwise, rules such as the following would be specified:
permit <local ip> <local mask> <partner ip> <partner mask> esp any 0 any 0 <interface> <routing> inbound
permit <partner ip> <partner mask> <local ip> <local mask> esp any 0 any 0 <interface> <routing> outbound
permit <local ip> <local mask> <partner ip> <partner mask> ah any 0 any 0 <interface> <routing> inbound
permit <partner ip> <partner mask> <local ip> <local mask> ah any 0 any 0 <interface> <routing> outbound
The first two rules permit ESP-encoded traffic to pass between the two systems; the last two permit AH-encoded traffic. Since all traffic which passes through the IPSec tunnel will be encoded with one of these two protocols, these rules should be sufficient.
The filter rules must be activated in the normal way, using the CFGFILT
command:
cfgfilt -u
As always, compatible configurations must be used on both hosts.