pf rdr statement & ipsec processing interaction

Eric Masson emss at free.fr
Mon Aug 13 08:15:34 UTC 2007


Hello,

I'm trying to setup a FreeBSD 6.2 box as l2tp/ipsec server for MS
workstations (FAST_IPSEC + Yvan's NAT-T patch)

Thanks to mpd4, the l2tp part works fine, as the box could in fine have
only a dynamic ip address, I've made mpd listen on a loopback interface
on the box and then redirected incoming l2tp traffic to this loopback
interface :

$ ifconfig lo1
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 10.127.0.1 netmask 0xff000000

$ cat /usr/local/etc/mpd4/mpd.links
l2tp1:
        set link type l2tp
        set l2tp self 10.127.0.1
        set l2tp enable incoming
        set l2tp disable originate

$ cat /etc/pf.conf
ext_if="vxn0"
rdr on $ext_if proto udp from any to ($ext_if) port 1701 -> 10.127.0.1 port 1701

If ipsec isn't enabled (no spd & no racoon running on the freebsd side,
ipsec disabled on the xp box), this setup works fine.

If ipsec is enabled on the box and on the xp box, phase I & phase II
succeed but mpd4 doesn't get any l2tp packet.

If I setup mpd4 to listen on the external interface address and disable
pf rdr rule, everything works fine (ipsec enabled or disabled)

>From this, it seems that pf rdr rule isn't applied to the incoming l2tp
packets once they've been ipsec processed.

Is this an expected behaviour or a bug ?

TIA

Regards

Éric Masson

-- 
 tenir à bout de bras un câble ethernet qui traverse une salle de restau
 pour pas qu'il tombe dans les tiramisu, pendant que d'autres parlent en
 infrarouge, c'est bien la vraie vie, n'est-ce pas ?
 -+- DA in Guide du Macounet Pervers : http://www.le-visconti.net/ -+-


More information about the freebsd-net mailing list