From owner-freebsd-stable Fri Nov 15 6:55:37 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BCC537B401 for ; Fri, 15 Nov 2002 06:55:35 -0800 (PST) Received: from grumpy.dyndns.org (user-24-214-34-52.knology.net [24.214.34.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id E566743E3B for ; Fri, 15 Nov 2002 06:55:33 -0800 (PST) (envelope-from dkelly@grumpy.dyndns.org) Received: from grumpy.dyndns.org (localhost [127.0.0.1]) by grumpy.dyndns.org (8.12.6/8.12.6) with ESMTP id gAFErggx004142; Fri, 15 Nov 2002 08:53:42 -0600 (CST) (envelope-from dkelly@grumpy.dyndns.org) Received: (from dkelly@localhost) by grumpy.dyndns.org (8.12.6/8.12.6/Submit) id gAFErgpl004141; Fri, 15 Nov 2002 08:53:42 -0600 (CST) Date: Fri, 15 Nov 2002 08:53:42 -0600 From: David Kelly To: Greg Panula Cc: FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? Message-ID: <20021115145342.GA4032@grumpy.dyndns.org> References: <200211142157.57459.dkelly@HiWAAY.net> <3DD4F4D1.83C77B0@dolaninformation.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3DD4F4D1.83C77B0@dolaninformation.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Nov 15, 2002 at 07:21:21AM -0600, Greg Panula wrote: > David Kelly wrote: > > > > Ran cvsup this morning (11/14/2002), built world, installed world, built > > and installed new kernel, forgot mergemaster, rebooted, and my VPN to > > another FreeBSD box was not working. Did not update the other box. [...] > > No doubt I'm lost as to how IPsec packets traverse thru these layers. > > When setting the system up was surprised to find nothing came thru > > gif0. At least nothing ipfw sees. > > gif tunnels aren't really needed for passing IPSec traffic between > locations. I have stopped using them. Game for any solution. For all I know the gif tunnel isn't doing anything as I never see any packets over that device. Actually I'd *like* to see the packets via gif0 simply because they are not really fxp0 or fxp1 packets until inserted on the internal network. > You might try adding an allow rule for esp traffic just before your rule > 600. My ESP rule is after 600, after divert, and is working. The problem is the tunneled packets re-routed thru IPFW after being un-tunneled are appearing on the external NIC when previously they were on the internal NIC. Is only the incoming packets from the remote internal private network which are appearing on the wrong NIC. > Something like: > ipfw add 550 allow esp from to out via fxp1 > ipfw add 555 allow esp from to in via fxp1 Have those already, pretty far down the page and appear to be fairly active: 05800 678 127611 allow udp from me 500 to 500 via fxp1 05900 327 100572 allow udp from 500 to me 500 via fxp1 > If you are using gif tunnels for passing your ipsec traffic thru you > might want to try not using them. I ran into some similar funkyness a > while back. Packets traverse the gif tunnel, get decrypted and then get > rejected by the firewall rules for the external interface. > > If you would like a quickie example of ipsec tunnel setup between two > freebsd boxes, let me know. Have a suspicion I'm not really using gif altho I've configured the interfaces. Earlier yesterday found I had not updated an IP address in the gif0 device which changed a month or to prior. Yet things were still working. So yes, please, I'd like to see your notes on how to IPsec tunnel without gif. > Sorry, I couldn't really answer why you're setup doesn't work after > upgrading to 4.7. That others have had similar problems and might have a way to deal with it is all I expected. That I've raised a flag and later someone else has the same thing happen or the developers "get a curious" and look closer inside would be icing on the cake. Have an inside "test box" which I build -stable and play around a bit before doing the same to the important production machines. Tested before updating. Problem is I don't test the tunnel. Henceforth that will change. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message