PF filtering with IPv6 and IPSEC

STux tech at stuxnet.org
Mon Aug 23 17:03:41 UTC 2010 

Hello guys,

I'm running FreeBSD 8.0 and I experience a problem with pf .

The network configuration is the following :

NetworkA (ipv6) <=> gwA (openbsd) <=> wan (ipv6/ipsec) <=> gwB (freebsd) 
<=> NetworkB (ipv6)

OpenBsd is running isakmpd , and seems working well. FreeBSD is running 
racoon (ipsec-tools from ports)

without pf enabled on freebsd, ipv6/ipsec tunnel works well (tcpdump 
approves it) : machines on networkB access to networkA and machines on 
network A access to networkB

Code:
--------------------------------------------------------
23:30:00.815393 IP6 gwB > gwA: ESP spi=0x0b9ef32c,seq=0xe), length 92
23:30:00.815546 IP6 gwA > gwB: ESP spi=0xf3cb2428,seq=0x1a), length 92
--------------------------------------------------------

with pf enabled : tcpdump continues to show similar packets , machines 
on networkA continue to access to NetworkB BUT machines on networkB 
accessing NetworkA are blocked by PF, with a singular reason.

pflog, shows unencrypted packets from NetworkA to NetworkB : example of 
an ssh connexion initiated from NetworkB to NetworkA (this applies to 
all protocols except ICMP) :

Code:
--------------------------------------------------------
00:00:00.000000 IP6 MachineA.ssh > MachineB.52719: Flags [S.], seq 
1862827950, ack 2014870766, win 5712, options [mss 1440,sackOK,TS val 
211216935 ecr 257703668,nop,wscale 4], length 0
--------------------------------------------------------
Please note the source port and Flag !.

I've tcpdumped on openbsd, and no packet is transmitted in clear from 
NetworkA to NetworkB. pf is enabled on OpenBSD. I don't think OpenBSD is 
the problem.

when pf is disabled on freebsd, there no packet transmitted in clear 
from NetworkA to NetworkB : Only encrypted packets from gwA to gwB and 
from gwB to gwA.

So I think there is a problem after decryption of packet by racoon. But 
I don't see why (despire several nights ;) ).

For information : sample of pf.conf, which causes problem.

Code:
--------------------------------------------------------
ext_if="sis0"
int_if="sis1"

set skip on { lo0 enc0 }
set state-policy if-bound
set block-policy return
scrub in  all

block in log (all, to pflog0)

pass out keep state

pass in on $ext_if keep state
pass in on $int_if keep state
--------------------------------------------------------

Any advice ?

Thanks.

Christophe.

More information about the freebsd-pf mailing list