using enc0 with ipfw

[Eric W. Bates]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We have a working firewall with multiple esp tunnels.

To this machine we want to add the ability to filter the emergent,
decrypted packets.

We are running 7.1-RELEASE-p2

Does filtering require both the IPSEC_FILTERTUNNEL and the enc device?
Or are these 2 separate approaches to the same problem.

We cannot get the firewall to "accept" decrypted packets in.

With a ping running from tunneled network to tunneled network, tcpdump
shows esp packets leaving the firewall. At the remote end tcpdump shows
icmp echo requests and echo replies on the internal interface and it
also shows bi-directional esp traffic on the external interface.
However, on the originating firewall tcpdump shows none of the esp reply
packets.

All the firewall deny rules have logging enabled. Nothing appears in the
log. So as far as we can tell ipfw is not blocking anything.

enc0 has been ifconfig'ed "up"; and the enc sysctl flags have been set
as suggested in enc(4).

tcpdump on enc0 on the originating machine shows the icmp echo requests
going out.

ipfw has an explicit "allow ip from any to any" on enc0 which is not
getting any hits.

We have tried this both with and without enc and IPSEC_FILTERTUNNEL in
all various permutations with basically the same results.

If we recompile and remove both the enc device and the
IPSEC_FILTERTUNNEL option, the tunnel works fine.

Any thots? RTFM is a welcome suggestion; but none of the man pages
really seem to cover this and we have had little luck with Google.

Thank you for your time.

- --
Eric W. Bates
ericx at vineyard.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmR5JYACgkQD1roJTQ4LlGeMQCgmeEd0H5qVFqKtYl9XHSndR12
5LoAoIBTf3DlqKXh3aLId/8U81/uzPWA
=NMIE
-----END PGP SIGNATURE-----