dch-gw: Host Pyrocufflink VPN locally

This commit adjusts the firewall and networking configuration on dc0 to host the Pyrocufflink remote access IPsec VPN locally instead of forwarding it to the internal VPN server.
2018-05-20 13:00:46 -05:00
parent 42b8d2e54f
commit f8641cb912
6 changed files with 19 additions and 20 deletions
--- a/roles/dch-gw/templates/outgoing.nft.j2
+++ b/roles/dch-gw/templates/outgoing.nft.j2
@@ -24,7 +24,7 @@ table inet filter {
        ct state established,related accept
        oif lo accept
        ip6 nexthdr ipv6-icmp accept
-        ip protocol icmp accept
+        ip protocol { icmp, esp } accept
        tcp dport @allow_tcp_out ct state new counter accept
        udp dport @allow_udp_out ct state new counter accept
    }