From owner-freebsd-net@FreeBSD.ORG  Sun Mar 18 10:23:32 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 9A09616A402
	for <freebsd-net@freebsd.org>; Sun, 18 Mar 2007 10:23:32 +0000 (UTC)
	(envelope-from Andre.Albsmeier@siemens.com)
Received: from david.siemens.de (david.siemens.de [192.35.17.14])
	by mx1.freebsd.org (Postfix) with ESMTP id 2D72413C448
	for <freebsd-net@freebsd.org>; Sun, 18 Mar 2007 10:23:31 +0000 (UTC)
	(envelope-from Andre.Albsmeier@siemens.com)
Received: from mail3.siemens.de (localhost [127.0.0.1])
	by david.siemens.de (8.12.6/8.12.6) with ESMTP id l2I9WgsK003500
	for <freebsd-net@freebsd.org>; Sun, 18 Mar 2007 10:32:42 +0100
Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.40.130])
	by mail3.siemens.de (8.12.6/8.12.6) with ESMTP id l2I9WgkY030189
	for <freebsd-net@freebsd.org>; Sun, 18 Mar 2007 10:32:42 +0100
Received: (from localhost)
	by curry.mchp.siemens.de (8.13.8/8.13.8) id l2I9WgUG045250;
Date: Sun, 18 Mar 2007 10:32:41 +0100
From: Andre Albsmeier <Andre.Albsmeier@siemens.com>
To: freebsd-net@freebsd.org
Message-ID: <20070318093241.GA1657@curry.mchp.siemens.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Echelon: <censored>
X-Advice: Drop that crappy M$-Outlook, I'm tired of your viruses!
User-Agent: Mutt/1.5.13 (2006-08-11)
Cc: Andre.Albsmeier@siemens.com
Subject: 6.2-STABLE: enc0 sees only outgoing packets in pf
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2007 10:23:32 -0000

(This is FreeBSD 6.2-STABLE as of yesterday using pf and FAST_IPSEC.)

Yesterday I started to play around with enc0 in pf. I hoped I
could now control IPSEC traffic in the standard way with pf rules
but it seems that only outgoing packets hit enc0. I added a

pass quick log on enc0 all

on top of all pf rules. When sending a single ping packet to
the remote side everything works but the only thing I see is

Mar 18 10:20:11 <local0.warn> gate pflogd: @0 pass out enc0 ICMP 192.168.164.81 -> 10.0.1.32 8 (echo)

(192.168.164.81 is my local gif0 address and 10.0.1.32 the remote).

However, when running a tcpdump on enc0 we see the answer as well:

listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 1550 bytes
10:20:11.475041 (authentic,confidential): SPI 0x50521518: IP A.B.C.D > E.F.G.H: IP 192.168.164.81 > 10.0.1.32: ICMP echo request, id 3631, seq 0, length 64 (ipip-proto-4)
10:20:11.560430 (authentic,confidential): SPI 0x0cf2344e: IP E.F.G.H > A.B.C.D: IP 10.0.1.32 > 192.168.164.81: ICMP echo reply, id 3631, seq 0, length 64 (ipip-proto-4)

(A.B.C.D is my local gif0 tunnel endpoint and E.F.G.H the remote).

Just to make things clear: IPSEC works (as it did for years), I'm
just not able to control the incoming packets with enc0 in pf.

Any ideas? Thanks,

	-Andre