From owner-freebsd-stable@FreeBSD.ORG Fri Nov 4 04:22:06 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 63075106570B for ; Fri, 4 Nov 2011 04:22:06 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) by mx1.freebsd.org (Postfix) with ESMTP id 15CC48FC16 for ; Fri, 4 Nov 2011 04:22:05 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 8E24D25D3888; Fri, 4 Nov 2011 04:02:51 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 7ADE9BD424E; Fri, 4 Nov 2011 04:02:50 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id NjlmsqsZvIQz; Fri, 4 Nov 2011 04:02:49 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 40033BD425E; Fri, 4 Nov 2011 04:02:48 +0000 (UTC) Date: Fri, 4 Nov 2011 04:02:47 +0000 (UTC) From: "Bjoern A. Zeeb" To: Kurt Jaeger In-Reply-To: <20111103155258.GA68080@home.opsec.eu> Message-ID: References: <20111103155258.GA68080@home.opsec.eu> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-stable@freebsd.org Subject: Re: fbsd 8.2, L2TP over IPsec and pf ? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Nov 2011 04:22:06 -0000 On Thu, 3 Nov 2011, Kurt Jaeger wrote: > Hello, > > I'm building a setup for incoming L2TP over IPsec connections > using FreeBSD 8.2-REL. I assume you are explicitly using tunnel mode? > IPsec based on ports/security/ipsec-tools, the l2tp part > works from net/mpd5/. > > If I disable the PF rules, everything works. > > If I enable the PF rules, the IPsec connection still comes up, > but the L2TP requests are lost somewhere in the PF rules 8-( > > Interestingly, tcpdump enc0 does not see any encrypted packets (!) > as long as the PF rules are active. tried playing with the sysctls of enc(4)? net.enc.in.ipsec_bpf_mask=0x00000003 net.enc.in.ipsec_filter_mask=0x00000003 > Any hints on the PF rules required to allow those packets in ? need more details (if you want also off-list). -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family.