kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec

a.v.volobuev at gmail.com a.v.volobuev at gmail.com
Fri Jan 24 08:20:01 UTC 2014 

The following reply was made to PR kern/185876; it has been noted by GNATS.

From: "a.v.volobuev at gmail.com" <a.v.volobuev at gmail.com>
To: bug-followup at FreeBSD.org, a.v.volobuev at gmail.com
Cc:  
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating
 ipsec. example l2tp/ipsec
Date: Fri, 24 Jan 2014 14:25:59 +0600

 This is a cryptographically signed message in MIME format.
 
 --------------ms070605050302040606090309
 Content-Type: multipart/alternative;
  boundary="------------080309020405020503050500"
 
 This is a multi-part message in MIME format.
 --------------080309020405020503050500
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 Also problem with pseudo interface enc(4). For example:
 # sysctl -a | i ipsec | i enc
 net.enc.in.ipsec_filter_mask: 2
 net.enc.in.ipsec_bpf_mask: 2
 net.enc.out.ipsec_filter_mask: 0
 net.enc.out.ipsec_bpf_mask: 0
 # tcpdump -n -i enc0 host 10.10.3.1
 /14:07:09.516262 (authentic,confidential): SPI 0xced105ce: IP
 10.10.3.1.58822 > 188.225.33.52.80: Flags [S], seq 317580935, win 13600,
 options [mss 1360,sackOK,TS val 3559730 ecr 0,nop,wscale 6], length /0
 , but ipfw rule:
 ipfw add 10 nat 1 ip from 10.0.150.3/32 to any in
 not match
 
 --------------080309020405020503050500
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 <html>
   <head>
 
     <meta http-equiv=3D"content-type" content=3D"text/html; charset=3DISO=
 -8859-1">
   </head>
   <body text=3D"#000000" bgcolor=3D"#FFFFFF">
     Also problem with pseudo interface enc(4). For example:<br>
     # sysctl -a | i ipsec | i enc<br>
     net.enc.in.ipsec_filter_mask: 2<br>
     net.enc.in.ipsec_bpf_mask: 2<br>
     net.enc.out.ipsec_filter_mask: 0<br>
     net.enc.out.ipsec_bpf_mask: 0<br>
     # tcpdump -n -i enc0 host 10.10.3.1<br>
     <font color=3D"#003300"><i>14:07:09.516262 (authentic,confidential):
         SPI 0xced105ce: IP 10.10.3.1.58822 > 188.225.33.52.80: Flags
         [S], seq 317580935, win 13600, options [mss 1360,sackOK,TS val
         3559730 ecr 0,nop,wscale 6], length </i>0</font><br>
     , but ipfw rule:<br>
     ipfw add 10 nat 1 ip from 10.0.150.3/32 to any in<br>
     not match<br>
   </body>
 </html>
 
 --------------080309020405020503050500--
 
 --------------ms070605050302040606090309
 Content-Type: application/pkcs7-signature; name="smime.p7s"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename="smime.p7s"
 Content-Description: Криптографическая подпись S/MIME
 
 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIDlzCC
 A5MwggL2oAMCAQICCQDn42yJUQ9YQDAJBgcqhkjOPQQBMIHDMQswCQYDVQQGEwJSVTEaMBgG
 A1UECBMRU3ZlcmRsb3Zza2F5YU9ibC4xFTATBgNVBAcTDEVrYXRlcmluYnVyZzETMBEGA1UE
 ChMKU29sYXJpcy5WLjEVMBMGA1UECxMMSVQgRGVwYXJtZW50MS4wLAYDVQQDEyVTb2xhcmlz
 LlYuIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSUwIwYJKoZIhvcNAQkBFhZhLnYudm9s
 b2J1ZXZAZ21haWwuY29tMB4XDTEzMDYwNDIwNDUwMFoXDTE0MDYwNDIwNDUwMFowgbQxCzAJ
 BgNVBAYTAlJVMRowGAYDVQQIExFTdmVyZGxvdnNrYXlhT2JsLjETMBEGA1UEChMKU29sYXJp
 cy5WLjEVMBMGA1UECxMMSVQgRGVwYXJtZW50MR8wHQYDVQQDFBZhLnYudm9sb2J1ZXZAZ21h
 aWwuY29tMSUwIwYJKoZIhvcNAQkBFhZhLnYudm9sb2J1ZXZAZ21haWwuY29tMRUwEwYDVQQH
 EwxFa2F0ZXJpbmJ1cmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANheLWqKf9TkPaXU
 NAj8rMjEmO22BBcaajTr4sTRnCS2pFGoCNcXy0ndkJRN/A+8olgYEeek4GcjJoDd8MfzIcN/
 uhjApevc8Tzj5BSj+GPDtQ2s9+1VjR9lo/TyoBa60tnD6ciRIb3cgk6C+nrJLbIkWPSAo3Rn
 Caze0LL0KAIzAgMBAAGjgZkwgZYwCQYDVR0TBAIwADAdBgNVHQ4EFgQU/7IGI3MTVNLcnWK9
 nDbJ47W9xokwHwYDVR0jBBgwFoAUuZsUohloQPGGaxcO7ooNvFiA9l8wDgYDVR0PAQH/BAQD
 AgWgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMEMCEGA1UdEQQaMBiBFmEudi52b2xvYnVldkBn
 bWFpbC5jb20wCQYHKoZIzj0EAQOBiwAwgYcCQSBcjSh5h+6/EGVpvtxZNZSgD8s9rgwRo/9I
 n/o20wh/0fAfYYUUYqDRJsXAtdjQNYlXcBrEuJLdiJ5rnbB06KE6AkIAhTZoTpbuBZLIEU4z
 /flnW573pYV0yJKxvUFqea08eeSjO35tUSF0O1Mnu/sDH3MdE/Jkc6B9sDErM4svTYTrwhcx
 ggQTMIIEDwIBATCB0TCBwzELMAkGA1UEBhMCUlUxGjAYBgNVBAgTEVN2ZXJkbG92c2theWFP
 YmwuMRUwEwYDVQQHEwxFa2F0ZXJpbmJ1cmcxEzARBgNVBAoTClNvbGFyaXMuVi4xFTATBgNV
 BAsTDElUIERlcGFybWVudDEuMCwGA1UEAxMlU29sYXJpcy5WLiBSb290IENlcnRpZmljYXRl
 IEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWYS52LnZvbG9idWV2QGdtYWlsLmNvbQIJAOfj
 bIlRD1hAMAkGBSsOAwIaBQCgggKXMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
 hvcNAQkFMQ8XDTE0MDEyNDA4MjU1OVowIwYJKoZIhvcNAQkEMRYEFHGZg1OO7OPiScRbdTu8
 Yn6iB+WZMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggq
 hkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI
 hvcNAwICASgwgeIGCSsGAQQBgjcQBDGB1DCB0TCBwzELMAkGA1UEBhMCUlUxGjAYBgNVBAgT
 EVN2ZXJkbG92c2theWFPYmwuMRUwEwYDVQQHEwxFa2F0ZXJpbmJ1cmcxEzARBgNVBAoTClNv
 bGFyaXMuVi4xFTATBgNVBAsTDElUIERlcGFybWVudDEuMCwGA1UEAxMlU29sYXJpcy5WLiBS
 b290IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWYS52LnZvbG9idWV2
 QGdtYWlsLmNvbQIJAOfjbIlRD1hAMIHkBgsqhkiG9w0BCRACCzGB1KCB0TCBwzELMAkGA1UE
 BhMCUlUxGjAYBgNVBAgTEVN2ZXJkbG92c2theWFPYmwuMRUwEwYDVQQHEwxFa2F0ZXJpbmJ1
 cmcxEzARBgNVBAoTClNvbGFyaXMuVi4xFTATBgNVBAsTDElUIERlcGFybWVudDEuMCwGA1UE
 AxMlU29sYXJpcy5WLiBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJ
 ARYWYS52LnZvbG9idWV2QGdtYWlsLmNvbQIJAOfjbIlRD1hAMA0GCSqGSIb3DQEBAQUABIGA
 j5cqxjhHPU5SG1S4Nacg2zXwK6+KzBaS6Iv3cMkBv31eRbr26XfZlpJVJZs+hTWwINO5q0Qv
 aMM9Q3rExkio6gO2l1bu9pwH4wLiX66v3uRC1xyzRkkC/F5l3oypwZ/gei2GSPjV3sIvHAHW
 Y9A4SPXab0LMUWGyz7hJZHQo/wkAAAAAAAA=
 --------------ms070605050302040606090309--

More information about the freebsd-bugs mailing list