pf rdr statement & ipsec processing interaction

Eric Masson emss at free.fr
Tue Aug 14 03:55:10 PDT 2007 

"Bjoern A. Zeeb" <bzeeb-lists at lists.zabbadoz.net> writes:

> ifconfig enc0 | grep UP
>
> if not, ifconfig enc0 up

Ok, this is better as mpd4 receives l2tp packets, thanks :)

emss at freebsd6:~> sudo /usr/local/sbin/mpd4
Multi-link PPP daemon for FreeBSD
process 1586 started, version 4.2.2 (root at freebsd6 22:09  9-Aug-2007)
CONSOLE: listening on 127.0.0.1 5005
[l2tp1] using interface ng1
[l2tp2] using interface ng2
[l2tp3] using interface ng3
[l2tp4] using interface ng4
[l2tp5] using interface ng5
L2TP: waiting for connection on 10.127.0.1 1701
Incoming L2TP packet from 192.168.1.105 1701

But from the dump on vxn0 interface, response packets are not passed to
the ipsec layer (192.168.1.105 is the remote XP host) :

emss at freebsd6:~> sudo tcpdump -n -i vxn0 not tcp port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vxn0, link-type EN10MB (Ethernet), capture size 96 bytes
12:43:50.408045 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 1 I ident
12:43:50.413619 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 1 R ident
12:43:50.472048 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 1 I ident
12:43:50.591613 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 1 R ident
12:43:50.863929 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 1 I ident[E]
12:43:50.939090 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 1 R ident[E]
12:43:50.943675 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I oakley-quick[E]
12:43:50.961028 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 2/others R oakley-quick[E]
12:43:50.977231 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I oakley-quick[E]
12:43:51.013177 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x1), length 140
12:43:51.064857 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:43:51.960621 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x2), length 140
12:43:51.962668 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB
12:43:52.020466 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:43:53.942587 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x3), length 140
12:43:53.943445 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB
12:43:53.943710 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:43:57.742123 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x4), length 140
12:43:57.745058 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB
12:43:57.789932 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:44:07.186961 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:44:07.208935 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x5), length 140
12:44:07.209418 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB
12:44:16.802284 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:44:16.849849 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x6), length 140
12:44:16.849860 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB
12:44:18.808989 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I inf[E]
12:44:18.821602 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I inf[E]
12:44:26.418196 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:44:36.033944 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...

I dont really understand here as the ipsec selectors are the following :

emss at freebsd6:~> sudo /usr/local/sbin/setkey -DP
0.0.0.0/0[any] 192.168.1.231[1701] udp
        in ipsec
        esp/transport//require
        spid=1 seq=2 pid=2086
        refcnt=1
192.168.1.105[1701] 192.168.1.231[1701] udp
        in ipsec
        esp/transport//require
        spid=6 seq=1 pid=2086
        refcnt=1
192.168.1.231[1701] 192.168.1.105[1701] udp
        out ipsec
        esp/transport//require
        spid=7 seq=0 pid=2086
        refcnt=1

So outgoing l2tp packets should be esp transformed, right ?

Regards

Éric Masson

-- 
 E> desole mais je n est pas trop l habitude des groupes de discutions
 Leçon n° 1 : on répond en haut et on vire le message auquel on répond
 Cette suppression facilite grandement la lecture !!!
 -+- DrN in <http://www.le-gnu.net> : Le Neuneu par l'exemple -+-

More information about the freebsd-net mailing list