Date: Mon, 05 Mar 2007 14:46:41 +0100 From: Volker Werth <vwerth@vwsoft.com> To: Tom Judge <tom@tomjudge.com> Cc: freebsd-pf@freebsd.org Subject: Re: Re: Tracing packets passing through PF Message-ID: <45EC1F41.2060202@vwsoft.com> In-Reply-To: <45EBE118.1010602@tomjudge.com> References: <45E75454.2060302@tomjudge.com> <000601c75ca1$b4d7a570$1e86f050$@Hennessy@nviz.net> <45E7F00B.6010306@tomjudge.com> <001901c75cb1$040435a0$0c0ca0e0$@Hennessy@nviz.net> <45E81AC3.5020304@tomjudge.com> <003901c75e88$c1b7cd40$452767c0$@Hennessy@nviz.net> <45EBE118.1010602@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On 12/23/-58 20:59, Tom Judge wrote:
> The packet is not getting filtered it leaves the host and passes on the
> wire to the default gateway. There are no issues with the traffic being
> filtered by the originating hosts firewall, the problem is that the ESP
> packets next hop is not being modified by the source routing rule and is
> therefore being sent to the incorrect gateway, where the ISP filters the
> packet. It is only the ESP traffic that fails to be routed correctly,
> all other traffic is fine. It is almost as if the ESP packet never
> enters PF and is transmitted straight out onto the network, hence me
> starting this thread about being able to trace the packet through the
> stack.
>
> Tom
Tom,
could you describe a bit more in detail what you're doing with IPSec
and what you're trying to do using pf? I've not followed the whole
thread as I've had no time to read email over the weekend. If you
already posted all infos, please forgive me and point me to that
message.
I've done a lot of work with IPSec (+ipsec_tools, racoon2 etc.) and
have also seen strange behaviour of ESP data not passing the firewall.
Are you using IPSEC or FAST_IPSEC? Are you using GIF tunnels? Are
you using ENC? Could you please give us your routing table (partially)?
Thanks,
Volker
[-- Attachment #2 --]
0 *H
01
0 +�0 *H
��h00
0
*H
�01
0 UDE10
UBerlin10
UBerlin10U
ipactive GbR10U
ipactive CA10U
ipactive CA1
0
*H
nic@ipactive.de0
041220135830Z
141218135830Z0910U
Volker Werth1 0
*H
volker@vwsoft.com00
*H
��0� [2b"
(3ʷ됹 �f.)C`eRvǵ
<f
a5;o}.c(ՄobB"@<?
/
K蛤;RW;THBʈ=IS@�1^#�n0l0
U
0volker@vwsoft.com0
U
0�0 U
#0@}
Vn/%P1)0
U
%0++0
*H
��5w
wq
ﳥ=si\/eDwBcі^;mue$?/e.ss.
xO5[/9ṼedVY{穀$s?d00
0
*H
�01
0 UDE10
UBerlin10
UBerlin10U
ipactive GbR10U
ipactive CA10U
ipactive CA1
0
*H
nic@ipactive.de0
041220135830Z
141218135830Z0910U
Volker Werth1 0
*H
volker@vwsoft.com00
*H
��0� [2b"
(3ʷ됹 �f.)C`eRvǵ
<f
a5;o}.c(ՄobB"@<?
/
K蛤;RW;THBʈ=IS@�1^#�n0l0
U
0volker@vwsoft.com0
U
0�0 U
#0@}
Vn/%P1)0
U
%0++0
*H
��5w
wq
ﳥ=si\/eDwBcі^;mue$?/e.ss.
xO5[/9ṼedVY{穀$s?d1N0J001
0 UDE10
UBerlin10
UBerlin10U
ipactive GbR10U
ipactive CA10U
ipactive CA1
0
*H
nic@ipactive.de
0 +�
0 *H
1
*H
0
*H
1
070305134641Z0# *H
1P@Ê3{0R *H
1E0C0
*H
0*H
�0
*H
@0+0
*H
(0 +71001
0 UDE10
UBerlin10
UBerlin10U
ipactive GbR10U
ipactive CA10U
ipactive CA1
0
*H
nic@ipactive.de
0
*H
101
0 UDE10
UBerlin10
UBerlin10U
ipactive GbR10U
ipactive CA10U
ipactive CA1
0
*H
nic@ipactive.de
0
*H
�Vb%V5TXc+ ~mʆ
i*OG6V ך
LBݺ\1_92"9~\nT
V! *T?6sam:[|3/EQ`&(cUdk$H^G%������
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45EC1F41.2060202>