Date: Tue, 25 Feb 2014 23:57:24 +0100 From: Nicolas DEFFAYET <nicolas@deffayet.com> To: Georgios Amanakis <gamanakis@gmail.com> Cc: andre@freebsd.org, melifaro@freebsd.org, =?UTF-8?Q?=D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80_?= =?UTF-8?Q?=D0=92=D0=BE=D0=BB=D0=BE=D0=B1=D1=83=D0=B5=D0=B2?= <a.v.volobuev@gmail.com>, freebsd-bugs@freebsd.org, bug-followup@freebsd.org Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec Message-ID: <1393369044.21345.1.camel@fr-wks3.corp.novso.com> In-Reply-To: <CACvFP_hUOjNJ69MH7Lj5thvPjCtA_81%2Bj-YbJMFqk6VfQbg2LQ@mail.gmail.com> References: <CACvFP_g4L=pK3ZmZ_kSq=OO%2BaZANA9k--n7Uhi1Tp6ULO0JHdw@mail.gmail.com> <CACvFP_hUOjNJ69MH7Lj5thvPjCtA_81%2Bj-YbJMFqk6VfQbg2LQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2014-02-25 at 23:24 +0100, Georgios Amanakis wrote:
> > Index: netipsec/xform_ipip.c
> > ===================================================================
> > --- netipsec/xform_ipip.c (revision 262492)
> > +++ netipsec/xform_ipip.c (working copy)
> > @@ -181,6 +181,7 @@
> > IPIPSTAT_INC(ipips_ipackets);
> >
> > m_copydata(m, 0, 1, &v);
> > + m_clrprotoflags(m);
> >
> > switch (v >> 4) {
> > #ifdef INET
>
>
> That one does not resolve it correctly, i.e. not all ipsec packets are
> captured. Furthermore, the captured packets have both directions, in
> and out (as captured by: allow ip from any to any in, allow ip from
> any to any out)
Did you test with IPsec as transport mode or as tunnel mode ?
--
Nicolas DEFFAYET
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1393369044.21345.1.camel>