I have a node that runs an ipsec security policy as a non-routing
"endpoint" type station. That is, only traffic originating on the node
is encrypted into the tunnel.
I also need this node to forward (i.e. route) traffic, unencrypted,
between two of it's interfaces. I could not seem to get a security
policy that would allow this forwarding to happen.
The subnets that the node should forward for are 192.168.122.0/24 and
10.75.22.0/24. I was hoping the following security policy would allow
this (yes, there is no actual ipsec in this policy because I distilled
it down to the smallest, most basic policy I could build that
demonstrates my problem):
1. spdadd 0.0.0.0/0 0.0.0.0/0 tcp -P in none;
2. spdadd 0.0.0.0/0 0.0.0.0/0 tcp -P out none;
3. spdadd 192.168.122.32/32 10.75.22.3/32 any -P fwd none;
4. spdadd 10.75.22.3/32 192.168.122.32/32 any -P fwd none;
5. spdadd 0.0.0.0/0 0.0.0.0/0 any -P fwd discard;
6. spdadd 0.0.0.0/0 0.0.0.0/0 any -P out discard;
7. spdadd 0.0.0.0/0 0.0.0.0/0 any -P in discard;
And it does, as long as I don't include lines 6-7, but I'd like to keep
those lines to strengthen my security policy.
Any ideas? Anyone have a policy that achieves the same, or a similar
goal they could share?