Tracing packets passing through PF

Tom Judge tom at tomjudge.com
Mon Mar 5 14:37:19 UTC 2007 

Volker Werth wrote:
> On 12/23/-58 20:59, Tom Judge wrote:
>> The packet is not getting filtered it leaves the host and passes on the
>> wire to the default gateway.  There are no issues with the traffic being
>> filtered by the originating hosts firewall, the problem is that the ESP
>> packets next hop is not being modified by the source routing rule and is
>> therefore being sent to the incorrect gateway, where the ISP filters the
>> packet.  It is only the ESP traffic that fails to be routed correctly,
>> all other traffic is fine. It is almost as if the ESP packet never
>> enters PF and is transmitted straight out onto the network,  hence me
>> starting this thread about being able to trace the packet through the
>> stack.
>>
>> Tom
> 
> Tom,
> 
> could you describe a bit more in detail what you're doing with IPSec
> and what you're trying to do using pf? I've not followed the whole
> thread as I've had no time to read email over the weekend. If you
> already posted all infos, please forgive me and point me to that
> message.
> 
> I've done a lot of work with IPSec (+ipsec_tools, racoon2 etc.) and
> have also seen strange behaviour of ESP data not passing the firewall.
> 
> Are you using IPSEC or FAST_IPSEC? Are you using GIF tunnels? Are
> you using ENC? Could you please give us your routing table (partially)?
> 
> Thanks,
> 
> Volker


Here is a simplified diagram of the network layout:

http://www.tomjudge.com/tmp/tunnels.png

The following configurations are from host A, host be is configured in 
an identical fashion with the changes made in the obvious places.

The routing of the networks at each end of the tunnel is controlled by 
OSPF (using quagga).  Racoon successfully negotiates the IPSEC 
connection with the remote host (all traffic during this stage passes 
through the firewall correctly).  The problem appears when traffic is 
sent across the link and IPSEC is sending the ESP packets which fail to 
pass through PF (or that is what it would seem).

Kernel Config (Relevent sections):

device          gif             # IPv6 and IPv4 tunneling
device          carp
device      pf
device      pflog
device      pfsync
options     IPSEC
options     IPSEC_ESP
options     IPSEC_FILTERGIF
options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build


ifconfig:

bge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
         options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
         inet 10.0.0.46 netmask 0xff000000 broadcast 10.255.255.255
         ether 00:11:43:37:2e:2e
         media: Ethernet autoselect (1000baseTX <full-duplex>)
         status: active
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
         inet 111.0.0.2 netmask 0xffffffe0 broadcast 111.0.0.31
         inet 112.0.0.2 netmask 0xffffffe0 broadcast 112.0.0.31
         ether 00:11:43:37:2e:2f
         media: Ethernet autoselect (1000baseTX <full-duplex>)
         status: active
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
         tunnel inet 111.0.0.2 --> 113.0.0.2
         inet 192.168.174.1 --> 192.168.174.2 netmask 0xfffffffc
gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
         tunnel inet 112.0.0.2 --> 114.0.0.2
         inet 192.168.174.5 --> 192.168.174.6 netmask 0xfffffffc


netstat -rn with excess entries removed:
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            111.0.0.1          UGS         6 1107473272   bge1
10                 link#1             UC          0        0   bge0
111.0.0.0/27 	   link#2             UC          0        0   bge1
112.0.0.0/27       link#2             UC          0        0   bge1


/etc/ipsec.conf:

spdadd 111.0.0.2/32 113.0.0.2/32 ipencap -P out ipsec
     esp/tunnel/111.0.0.2-113.0.0.2/require;
spdadd 113.0.0.2/32 111.0.0.2/32 ipencap -P in ipsec
     esp/tunnel/113.0.0.2-111.0.0.2/require;

spdadd 112.0.0.2/32 114.0.0.2/32 ipencap -P out ipsec
     esp/tunnel/112.0.0.2-114.0.0.2/require;
spdadd 114.0.0.2/32 112.0.0.2/32 ipencap -P in ipsec
     esp/tunnel/114.0.0.2-112.0.0.2/require;



/usr/local/etc/racoon/racoon.conf (Appropriate sections):
path pre_shared_key "/usr/local/etc/racoon/psk.conf";

remote 113.0.0.2 [500]
{
         exchange_mode aggressive,main;
         doi ipsec_doi;
         situation identity_only;

         nonce_size 16;
         initial_contact on;
         proposal_check obey;    # obey, strict, or claim

         proposal {
                 encryption_algorithm 3des;
                 hash_algorithm sha1;
                 authentication_method pre_shared_key;
                 dh_group 2;
         }
}


remote 114.0.0.2 [500]
{
         exchange_mode aggressive,main;
         doi ipsec_doi;
         situation identity_only;

         nonce_size 16;
         initial_contact on;
         proposal_check obey;    # obey, strict, or claim

         proposal {
                 encryption_algorithm 3des;
                 hash_algorithm sha1;
                 authentication_method pre_shared_key;
                 dh_group 2;
         }
}

More information about the freebsd-pf mailing list