kern/98219: pf needs a way of matching on decapsulated IPSEC packets
dimas at dataart.com
Wed May 31 08:00:44 PDT 2006
>Synopsis: pf needs a way of matching on decapsulated IPSEC packets
>Arrival-Date: Wed May 31 15:00:36 GMT 2006
>Originator: Dmitry Andrianov
FreeBSD 6.0-RELEASE #0
It seems there is no way to distinguis ordinary packet arrived from the wire from the one decapsulated from IPSEC ESP packet. When kernel is build with IPSEC_FILTERGIF, decapsulated packet appears arriving on the same interface on which original ESP packet arrived.
Normally you have to enable ESP packets:
pass in quick on fxp0 proto esp from $vpn_peer to fxp0:any
But to avoid dropping decapsulated packets by firewall, you also need
pass in quick on fxp0 from $vpn_remote_net to $local_net
But this rule will also allow any packet with spoofed IPs pretending to be from vpn_net to local_net to be accepted and processed.
More information about the freebsd-bugs