From owner-freebsd-questions  Tue Apr 16 23:28:55 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from sigbus.com (c-24-126-148-218.we.client2.attbi.com [24.126.148.218])
	by hub.freebsd.org (Postfix) with ESMTP id DF9EA37B49F
	for <freebsd-questions@freebsd.org>; Tue, 16 Apr 2002 23:28:11 -0700 (PDT)
Received: (from henrich@localhost)
	by sigbus.com (8.11.1/8.11.1) id g3H6S4s35383
	for freebsd-questions@freebsd.org; Tue, 16 Apr 2002 23:28:04 -0700 (PDT)
	(envelope-from henrich)
Date: Tue, 16 Apr 2002 23:28:04 -0700
From: Charles Henrich <henrich@sigbus.com>
To: freebsd-questions@freebsd.org
Subject: ipencap instead of esp packets?
Message-ID: <20020416232804.A34302@sigbus.com>
Mail-Followup-To: freebsd-questions@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
X-Operating-System: FreeBSD 4.2-RELEASE
X-PGP-Fingerprint: 1024/F7 FD C7 3A F5 6A 23 BF  76 C4 B8 C9 6E 41 A4 4F
X-GPG-Fingerprint: EA4C AB9B 0C38 17C0 AB3F  11DE 41F6 5883 41E7 4F49
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I've setup IPsec according to several of the documents on the net, and it
seems to be working correctly.  However, when I went to install my firewalls
rules to allow

00300   0     0 allow log udp from any to any 500
00400   0     0 allow log esp from any to any

No packets successfully transferred.  Allowing ipencap packets allowed the
tunnels to work.  This is on BSD-4.5, anyone have any suggestions as to why
this might be?  Also how I can verify the packets are actually being
encrypted?  

Packet trace:

17:22:31.937768 10.2.1.21 > 10.2.1.20: remote > local: ESP(spi=0x01c22750,seq=0xba) [tos 0x10]  (ipip)
17:22:31.938200 10.2.1.20 > 10.2.1.21: local > remote: ESP(spi=0x08dc78ca,seq=0x9e) [tos 0x10]  (ipip)

local# ifconfig -a
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=3<rxcsum,txcsum>
        inet 10.2.1.20 netmask 0xffff0000 broadcast 10.2.255.255
        ether 00:04:76:cc:0b:ad 
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000 
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 10.2.1.20 --> 10.2.1.21
        inet 172.16.0.1 --> 172.16.1.1 netmask 0xffffff00 

local# setkey -PD
172.16.1.0/24[any] 172.16.0.0/24[any] any
        in ipsec
        esp/tunnel/172.16.1.1-172.16.0.1/require
        spid=2 seq=1 pid=136
        refcnt=1
172.16.0.0/24[any] 172.16.1.0/24[any] any
        out ipsec
        esp/tunnel/172.16.0.1-172.16.1.1/require
        spid=1 seq=0 pid=136
        refcnt=1

Any suggestions appreciated!

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message