FreeBSD7 + pf + ipsec

Roman Otsaljuk romzes at upstar.com.ua
Wed Apr 16 17:23:23 UTC 2008 

Erik Osterholm ?????:
> On Wed, Apr 16, 2008 at 01:04:39PM +0300, Roman Otsaljuk wrote:
>   
>> Norman Maurer ?????:
>>     
>>> Am Mittwoch, den 16.04.2008, 12:02 +0300 schrieb Roman Otsaljuk:
>>>   
>>>       
>>>> hi all.
>>>> i have two localnets linked over ipsec:
>>>>
>>>> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
>>>>
>>>> network schema:
>>>>
>>>> 192.168.0.0/24 <---> [192.168.0.12=freebsd=2.2.2.2]  <--inet-->
>>>> [1.1.1.1=freebsd1=10.31.0.5] <---->10.31.0.5/26
>>>>
>>>> on both points was 6.2, firewall - pf.
>>>> after updating to 7.0 vpn doesn't work:
>>>>  0) pings go normal
>>>>  0) tcp packets go too, but third packet with R flag:
>>>> 	from 192.168.0.12 try: ssh 10.31.0.42, on second console:
>>>> mail# tcpdump -ni gif0
>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>>> listening on gif0, link-type NULL (BSD loopback), capture size 68 bytes
>>>> 10:49:43.912469 IP 192.168.0.12.63996 > 10.31.0.42.22: S 1756351354:1756351354(0) win 65535 <mss 1240,nop,wscale 3,sackOK,timestamp 51087105 0>
>>>> 10:49:43.936245 IP 217.20.174.35 > 195.43.43.238: IP 10.31.0.42.22 > 192.168.0.12.63996: S 4244314344:4244314344(0) ack 1756351355 win 65535 <mss 1460,[|tcp]> (ipip-proto-4)
>>>> 10:49:43.936360 IP 192.168.0.12.63996 > 10.31.0.42.22: R 1318200353:1318200353(0) win 0
>>>>
>>>>  0) adding the first rule (pass quick all) on both - without changes;
>>>>  0) downing pf: in localnet, in wich pf downed - all good.
>>>>
>>>>
>>>> any ideas?
>>>>
>>>>
>>>> p.s. the same if IPsec replaced by vpnd--------
>>>> sorry my bad English
>>>>     
>>>>         
>>> Freebsd 7.0 use the "new" ipsec implementation (IPSEC_FAST) so you need
>>> to allow ipencap protocol too..
>>>
>>> Cheers
>>> Norman
>>>
>>>
>>>
>>>   
>>>       
>> is not rule "pass quick all" allows ipencap?
>>     
>  
> Try specifying it specifically.  I seem to recall that only certain
> protocols are passed unless specificially specified, though I can't
> find documentation on that.
>
> Erik
>
>
>   
rules:

vpn_if=gif0
pass quick on $vpn_if modulate state
pass in quick proto {esp, ipencap} from 1.1.1.1 to $ext_if modulate state

was in my pf.conf on 6.2 and on 7.0.

I have not changed pf.conf with upgrating..
(except "pass quick all" during trying u?derstand problem)

But I think problem not in ipencap (because icmp going good)..

More information about the freebsd-questions mailing list