From owner-freebsd-questions@FreeBSD.ORG Wed Apr 16 17:23:23 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48A941065673 for ; Wed, 16 Apr 2008 17:23:23 +0000 (UTC) (envelope-from romzes@upstar.com.ua) Received: from mail.upstar.com.ua (mail.upstar.com.ua [217.20.174.35]) by mx1.freebsd.org (Postfix) with ESMTP id 900698FC18 for ; Wed, 16 Apr 2008 17:23:22 +0000 (UTC) (envelope-from romzes@upstar.com.ua) Received: from romzes.office (romzes.office [10.31.0.42]) (authenticated bits=0) by mail.upstar.com.ua (8.13.8/8.13.8) with ESMTP id m3GHNCS7000686 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 16 Apr 2008 20:23:13 +0300 (EEST) (envelope-from romzes@upstar.com.ua) Message-ID: <480635BC.1010000@upstar.com.ua> Date: Wed, 16 Apr 2008 20:22:04 +0300 From: Roman Otsaljuk User-Agent: Thunderbird 2.0.0.6 (X11/20070924) MIME-Version: 1.0 To: Erik Osterholm References: <4805C08A.1060308@upstar.com.ua> <1208338114.7003.1.camel@norman-laptop> <4805CF37.70008@upstar.com.ua> <20080416150003.GA16773@aleph.cepheid.org> In-Reply-To: <20080416150003.GA16773@aleph.cepheid.org> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-104.4 required=5.0 tests=ALL_TRUSTED,BAYES_00, USER_IN_WHITELIST autolearn=ham version=3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on mail.upstar.com.ua X-Virus-Scanned: ClamAV 0.92.1/6798/Wed Apr 16 17:40:01 2008 on mail.upstar.com.ua X-Virus-Status: Clean Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD7 + pf + ipsec X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2008 17:23:23 -0000 Erik Osterholm ?????: > On Wed, Apr 16, 2008 at 01:04:39PM +0300, Roman Otsaljuk wrote: > >> Norman Maurer ?????: >> >>> Am Mittwoch, den 16.04.2008, 12:02 +0300 schrieb Roman Otsaljuk: >>> >>> >>>> hi all. >>>> i have two localnets linked over ipsec: >>>> >>>> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html >>>> >>>> network schema: >>>> >>>> 192.168.0.0/24 <---> [192.168.0.12=freebsd=2.2.2.2] <--inet--> >>>> [1.1.1.1=freebsd1=10.31.0.5] <---->10.31.0.5/26 >>>> >>>> on both points was 6.2, firewall - pf. >>>> after updating to 7.0 vpn doesn't work: >>>> 0) pings go normal >>>> 0) tcp packets go too, but third packet with R flag: >>>> from 192.168.0.12 try: ssh 10.31.0.42, on second console: >>>> mail# tcpdump -ni gif0 >>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >>>> listening on gif0, link-type NULL (BSD loopback), capture size 68 bytes >>>> 10:49:43.912469 IP 192.168.0.12.63996 > 10.31.0.42.22: S 1756351354:1756351354(0) win 65535 >>>> 10:49:43.936245 IP 217.20.174.35 > 195.43.43.238: IP 10.31.0.42.22 > 192.168.0.12.63996: S 4244314344:4244314344(0) ack 1756351355 win 65535 (ipip-proto-4) >>>> 10:49:43.936360 IP 192.168.0.12.63996 > 10.31.0.42.22: R 1318200353:1318200353(0) win 0 >>>> >>>> 0) adding the first rule (pass quick all) on both - without changes; >>>> 0) downing pf: in localnet, in wich pf downed - all good. >>>> >>>> >>>> any ideas? >>>> >>>> >>>> p.s. the same if IPsec replaced by vpnd-------- >>>> sorry my bad English >>>> >>>> >>> Freebsd 7.0 use the "new" ipsec implementation (IPSEC_FAST) so you need >>> to allow ipencap protocol too.. >>> >>> Cheers >>> Norman >>> >>> >>> >>> >>> >> is not rule "pass quick all" allows ipencap? >> > > Try specifying it specifically. I seem to recall that only certain > protocols are passed unless specificially specified, though I can't > find documentation on that. > > Erik > > > rules: vpn_if=gif0 pass quick on $vpn_if modulate state pass in quick proto {esp, ipencap} from 1.1.1.1 to $ext_if modulate state was in my pf.conf on 6.2 and on 7.0. I have not changed pf.conf with upgrating.. (except "pass quick all" during trying u?derstand problem) But I think problem not in ipencap (because icmp going good)..