From owner-freebsd-pf@FreeBSD.ORG Wed May 25 03:57:42 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A26A106566C for ; Wed, 25 May 2011 03:57:42 +0000 (UTC) (envelope-from freebsd-pf@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id 48E388FC12 for ; Wed, 25 May 2011 03:57:42 +0000 (UTC) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.186]) by mail.unitedinsong.com.au (Postfix) with ESMTP id 244665C45 for ; Wed, 25 May 2011 14:06:12 +1000 (EST) Message-ID: <4DDBAFF9.20705@herveybayaustralia.com.au> Date: Tue, 24 May 2011 23:17:45 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.16) Gecko/20110204 Thunderbird/3.0.11 ThunderBrowse/3.3.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4DD8E815.4090209@herveybayaustralia.com.au> <20110522122229.GD36033@relay.ibs.dn.ua> <4DD9EF87.6070104@herveybayaustralia.com.au> <20110524072550.GB70509@relay.ibs.dn.ua> In-Reply-To: <20110524072550.GB70509@relay.ibs.dn.ua> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: pf firewall nat and IPSec X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2011 03:57:42 -0000 On 05/24/11 17:25, Zeus V Panchenko wrote: > Da Rock (freebsd-pf@herveybayaustralia.com.au) [11.05.23 08:23] wrote: > >> Ok. So I've tried wifi hotspots and the mobile network- all no go. >> Racoon's obviously not the problem or L2TP; its definitely PF. >> > does your configuration work without pf? > > Not really an option atm- thats why I asked about other firewall types. My research has found that IPTables doesn't have a problem (according to IPCop)- needs some finer adjustments, but works. So I'm now looking at testing IPFW or IPFilter- I'll advise the outcome of this as well; if it works on either of these then it won't a BSD issue. But I'm still curious to find what could be the issue with PF if it does work on the others... Looking at my flows I see that Android appears to accept keys and start sending packets on 4500; whereas racoon local appears to ignore the packets and is left unaware that the keys are accepted. What I still haven't discovered is why? Is anyone further advanced on this? I'm currently considering a comparison of IP packets to see if there is any difference as it passes through PF. Thoughts?