pf not seeing inbound packets coming from IPSec on epair interface
Andreas Longwitz
longwitz at incore.de
Mon Jan 18 23:03:39 UTC 2016
Hi, thanks for answer.
>> in the situation
>> IPSec --> epair0a --> epair0b --> em1
>> pf does not see inbound packets on the interface epair0b, because the
>> epair driver does not clear the flag PACKET_TAG_IPSEC_IN_DONE when he
>> transfers a packet from epair0a to epair0b. The following patch for
>> FreeBSD 10 works for me and is adapted from
>> lists.freebsd.org/pipermail/freebsd-net/2012-January/031161.html:
>
> Where does epair get the packet from? A physical interface bridged to epair?
I use epair on a firewall machine FW running to serve VPN's for IPhones
(IPSec with XAuth). Every user gets an IP (racoon + freeradius) to use
in his tunnel, the tunnel IP of FW is fix. Different user groups must
connect to different mail server in my network. FW has two hardware
interfaces em0 (internet) and em1 (intranet), no jails, no bridges. I
use the rdr command of pf on interface epair0b to redirect the user to
the correct mailserver before the packets leaves my FW on interface em1
(with nat and a pass rule using reply-to ( epair0b $ip_epair0a).
I am not aware of another method to rewrite the destination address of
an IPSec incoming packet on the same machine, therefore the use of epair.
> Hmm, but then if you are using epairs to cross between network stacks, you are
> changing boundries, indeed, so if you’d run ipsec on a single epair
between two
> VNETs, that might be interesting as well?
I think epair should behave identical to em2 + em3 with a crossover
cable, but I do not have enough network interfaces.
> I guess we’ll need to find a couple of these places (epair, bridge, netgraph, …)
> and make sure we strip all of the tags IFF we change the VNET?
I think so. One example is mentioned in
lists.freebsd.org/pipermail/freebsd-net/2012-January/031161.html
for Clients using a VPN with L2TP over IPSec (racoon + mpd5).
Dr. Andreas Longwitz
Data Service GmbH
Beethovenstr. 2A
23617 Stockelsdorf
Amtsgericht Lübeck, HRB 318 BS
Geschäftsführer: Wilfried Paepcke, Dr. Andreas Longwitz, Josef Flatau
More information about the freebsd-net
mailing list