From owner-freebsd-security Thu Jan 11 4:56:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from tao.org.uk (genesis.tao.org.uk [194.242.131.94]) by hub.freebsd.org (Postfix) with ESMTP id 677FB37B400 for ; Thu, 11 Jan 2001 04:56:16 -0800 (PST) Received: by tao.org.uk (Postfix, from userid 100) id 941F3323F; Thu, 11 Jan 2001 12:56:21 +0000 (GMT) Date: Thu, 11 Jan 2001 12:56:21 +0000 From: Josef Karthauser To: itojun@iijlab.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: Interaction problem with IKE (racoon) and ipfw divert natd? Message-ID: <20010111125621.F3594@tao.org.uk> Mail-Followup-To: Josef Karthauser , itojun@iijlab.net, freebsd-security@FreeBSD.ORG References: <20010111124510.D3594@tao.org.uk> <29596.979217266@coconut.itojun.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <29596.979217266@coconut.itojun.org>; from itojun@iijlab.net on Thu, Jan 11, 2001 at 09:47:46PM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jan 11, 2001 at 09:47:46PM +0900, itojun@iijlab.net wrote: > > >Strangely... if I move the 'allow udp from ME isakmp to HIM isakmp' to > >before the 'divert 8668 ip from any to any via fxp1' rule the packet > >does go out on the wire! > >I wonder whether this is a bug with natd. > >Both machines are round about RELENG_4 (far end HIM jan 4th, this end ME > >jan 10th). > >Any ideas how I can track this down? > > i have no idea. i think natd captures the outgoing packets and then > drops them onto the floor or something like that. > we (as kame guys) almost never use ipfw/ipnat, as ipsec is inherently > not friendly with them. Hmm, you're also using IPv6 aren't you, so that makes things easier in terms of space allocation. My guess here is that natd is corrupting something as it sees the packet. Joe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message