l2tp pass by pf

Tomasz Marszal kapral at toya.net.pl
Sat Nov 5 13:03:50 UTC 2011 

On Sat,  5 Nov 2011 12:00:33 +0000 (UTC),
freebsd-stable-request at freebsd.org
wrote:
> Send freebsd-stable mailing list submissions to
> 	freebsd-stable at freebsd.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> or, via email, send a message with subject or body 'help' to
> 	freebsd-stable-request at freebsd.org
> 
> You can reach the person managing the list at
> 	freebsd-stable-owner at freebsd.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of freebsd-stable digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: fbsd 8.2, L2TP over IPsec and pf ? (Kurt Jaeger)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Fri, 4 Nov 2011 14:18:56 +0100
> From: Kurt Jaeger <lists at c0mplx.org>
> Subject: Re: fbsd 8.2, L2TP over IPsec and pf ?
> To: freebsd-stable at freebsd.org
> Message-ID: <20111104131856.GD68080 at home.opsec.eu>
> Content-Type: text/plain; charset=us-ascii
> 
> Hi!
> 
>> I'm building a setup for incoming L2TP over IPsec connections
>> using FreeBSD 8.2-REL.
>> 
>> IPsec based on ports/security/ipsec-tools, the l2tp part
>> works from net/mpd5/.
>> 
>> If I disable the PF rules, everything works.
>> 
>> If I enable the PF rules, the IPsec connection still comes up,
>> but the L2TP requests are lost somewhere in the PF rules 8-(
>> 
>> Interestingly, tcpdump enc0 does not see any encrypted packets (!)
>> as long as the PF rules are active.
>> 
>> Any hits on the PF rules required to allow those packets in ?
I dont know the exect rules but you can try log all the outgoing and
incoming packets by rules 
pass in quick log all 
pass out quick log all 

and then see what is going on by displaying logs on your console 
tcpdump -n -e -ttt -i pflog0

finaly send packets threw firewall and see what to pass by adding apropriet
rule to your firewall 

Usefoul hint use some other firewall like ipfw or ipf when you disable your
pf the same thing you should do when you pass all the packets by pf


> Turns out: ESP in/out was missing. set debug misc in the pf.conf
> is worth a lot 8-)
> 
> Thanks for all help (by private mail).
> 
> I'll try to document this setup on some webpage (but this will take
> 1-2 month due to other projects 8-(

More information about the freebsd-stable mailing list