Date: Mon, 23 Aug 2010 19:04:09 +0200 From: STux <tech@stuxnet.org> To: freebsd-pf@freebsd.org Subject: PF filtering with IPv6 and IPSEC Message-ID: <4C72AA09.6030604@stuxnet.org>
next in thread | raw e-mail | index | archive | help
Hello guys,
I'm running FreeBSD 8.0 and I experience a problem with pf .
The network configuration is the following :
NetworkA (ipv6) <=> gwA (openbsd) <=> wan (ipv6/ipsec) <=> gwB (freebsd)
<=> NetworkB (ipv6)
OpenBsd is running isakmpd , and seems working well. FreeBSD is running
racoon (ipsec-tools from ports)
without pf enabled on freebsd, ipv6/ipsec tunnel works well (tcpdump
approves it) : machines on networkB access to networkA and machines on
network A access to networkB
Code:
--------------------------------------------------------
23:30:00.815393 IP6 gwB > gwA: ESP spi=0x0b9ef32c,seq=0xe), length 92
23:30:00.815546 IP6 gwA > gwB: ESP spi=0xf3cb2428,seq=0x1a), length 92
--------------------------------------------------------
with pf enabled : tcpdump continues to show similar packets , machines
on networkA continue to access to NetworkB BUT machines on networkB
accessing NetworkA are blocked by PF, with a singular reason.
pflog, shows unencrypted packets from NetworkA to NetworkB : example of
an ssh connexion initiated from NetworkB to NetworkA (this applies to
all protocols except ICMP) :
Code:
--------------------------------------------------------
00:00:00.000000 IP6 MachineA.ssh > MachineB.52719: Flags [S.], seq
1862827950, ack 2014870766, win 5712, options [mss 1440,sackOK,TS val
211216935 ecr 257703668,nop,wscale 4], length 0
--------------------------------------------------------
Please note the source port and Flag !.
I've tcpdumped on openbsd, and no packet is transmitted in clear from
NetworkA to NetworkB. pf is enabled on OpenBSD. I don't think OpenBSD is
the problem.
when pf is disabled on freebsd, there no packet transmitted in clear
from NetworkA to NetworkB : Only encrypted packets from gwA to gwB and
from gwB to gwA.
So I think there is a problem after decryption of packet by racoon. But
I don't see why (despire several nights ;) ).
For information : sample of pf.conf, which causes problem.
Code:
--------------------------------------------------------
ext_if="sis0"
int_if="sis1"
set skip on { lo0 enc0 }
set state-policy if-bound
set block-policy return
scrub in all
block in log (all, to pflog0)
pass out keep state
pass in on $ext_if keep state
pass in on $int_if keep state
--------------------------------------------------------
Any advice ?
Thanks.
Christophe.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C72AA09.6030604>