From owner-freebsd-stable Fri Nov 15 5:21:32 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B0C037B401 for ; Fri, 15 Nov 2002 05:21:30 -0800 (PST) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id 401BB43E3B for ; Fri, 15 Nov 2002 05:21:29 -0800 (PST) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 10513 invoked by uid 0); 15 Nov 2002 13:21:23 -0000 Received: from greg.panula@dolaninformation.com by proxy by uid 82 with qmail-scanner-1.15 ( Clear:. Processed in 0.520842 secs); 15 Nov 2002 13:21:23 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: dkelly@HiWAAY.net,FreeBSD-stable@FreeBSD.org X-Qmail-Scanner: 1.15 (Clear:. Processed in 0.520842 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 15 Nov 2002 13:21:22 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 15 Nov 2002 07:21:22 -0600 Message-ID: <3DD4F4D1.83C77B0@dolaninformation.com> Date: Fri, 15 Nov 2002 07:21:21 -0600 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: David Kelly Cc: FreeBSD-stable@FreeBSD.org Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? References: <200211142157.57459.dkelly@HiWAAY.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG David Kelly wrote: > > Ran cvsup this morning (11/14/2002), built world, installed world, built > and installed new kernel, forgot mergemaster, rebooted, and my VPN to > another FreeBSD box was not working. Did not update the other box. > > Discovered I had not done mergemaster on the problem box so did that > and rebooted again. Still have the same problem. > > What I have found is packets that are supposed to be on fxp0 are being > killed by ipfw for appearing on fxp1 by this rule. fxp1 is my exteral > NIC connected to the ISP: > > 00600 14 1122 deny ip from any to 10.0.0.0/8 via fxp1 > > But if I add this rule in front of the above (so I don't have to retype > the above to add it back) then all is working as it once did: > > 00550 2 168 allow ip from 192.168.100.0/24 to 10.0.0.0/24 in recv fxp1 > > The above are prior to my divert rule. > > Much later in my ruleset (after divert to natd) I was allowing these > packets via fxp0, the internal interface. Some are still going that way. > > The distant end is still 4.6-STABLE and shares practically the same > ipfw ruleset and everything. Rule 600 doesn't cause a problem there. > Wasn't a problem before the latest update for 4.7-stable. > > No doubt I'm lost as to how IPsec packets traverse thru these layers. > When setting the system up was surprised to find nothing came thru > gif0. At least nothing ipfw sees. > > -- > David Kelly N4HHE, dkelly@hiwaay.net gif tunnels aren't really needed for passing IPSec traffic between locations. I have stopped using them. You might try adding an allow rule for esp traffic just before your rule 600. Something like: ipfw add 550 allow esp from to out via fxp1 ipfw add 555 allow esp from to in via fxp1 or ipfw add 550 allow esp from any to any via fxp1 If you are using gif tunnels for passing your ipsec traffic thru you might want to try not using them. I ran into some similar funkyness a while back. Packets traverse the gif tunnel, get decrypted and then get rejected by the firewall rules for the external interface. If you would like a quickie example of ipsec tunnel setup between two freebsd boxes, let me know. Sorry, I couldn't really answer why you're setup doesn't work after upgrading to 4.7. greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message