From owner-freebsd-security@FreeBSD.ORG Fri May 26 07:38:42 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4FB916A599 for ; Fri, 26 May 2006 07:38:42 +0000 (UTC) (envelope-from gpr@nvnpp.vrn.ru) Received: from relay.nvnpp.vrn.ru (relay.nvnpp.vrn.ru [195.98.93.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7565343D4C for ; Fri, 26 May 2006 07:38:39 +0000 (GMT) (envelope-from gpr@nvnpp.vrn.ru) Received: from gpr by relay.nvnpp.vrn.ru with local (Exim 4.62 (FreeBSD)) (envelope-from ) id 1FjWu5-0004aq-1Y; Fri, 26 May 2006 11:38:37 +0400 Date: Fri, 26 May 2006 11:38:36 +0400 From: Gennady Proskurin To: freebsd-security@freebsd.org Message-ID: <20060526073836.GC15280@relay.nvnpp.vrn.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.11 Subject: IPSEC - tcp port match X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 07:38:43 -0000 Hello. I try to configure IPSEC to bybass ssh protocol. For example: setkey -FP setkey -F setkey -c << EOF spdadd 10.1.1.1/32 10.6.10.50[22] tcp -P in none ; spdadd 10.1.1.1/32 10.6.10.50 tcp -P in ipsec ah/transport//require ; EOF (Pass incoming ssh packets to 10.6.10.50, block other tcp packets) This works under fresh 7-CURRENT(FAST_IPSEC). On fresh 6-STABLE (neither FAST_IPSEC nor KAME IPSEC) it doesn't work, first string "spdadd 10.1.1.1/32 10.6.10.50[22] tcp -P in none" never matches. Is it bug in 6-STABLE or I missing something? Does anybody successfuly use IPSEC with tcp port matching under 6-STABLE? -- Gennady