Date: Tue, 19 Jan 2016 00:02:58 +0100 From: Andreas Longwitz <longwitz@incore.de> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-net@freebsd.org Subject: Re: pf not seeing inbound packets coming from IPSec on epair interface Message-ID: <569D6F22.1000405@incore.de> In-Reply-To: <5ADF2343-7643-41ED-B2AE-8A94A3478B95@lists.zabbadoz.net> References: <569D0F2F.8060508@incore.de> <5ADF2343-7643-41ED-B2AE-8A94A3478B95@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, thanks for answer. >> in the situation >> IPSec --> epair0a --> epair0b --> em1 >> pf does not see inbound packets on the interface epair0b, because the >> epair driver does not clear the flag PACKET_TAG_IPSEC_IN_DONE when he >> transfers a packet from epair0a to epair0b. The following patch for >> FreeBSD 10 works for me and is adapted from >> lists.freebsd.org/pipermail/freebsd-net/2012-January/031161.html: > > Where does epair get the packet from? A physical interface bridged to epair? I use epair on a firewall machine FW running to serve VPN's for IPhones (IPSec with XAuth). Every user gets an IP (racoon + freeradius) to use in his tunnel, the tunnel IP of FW is fix. Different user groups must connect to different mail server in my network. FW has two hardware interfaces em0 (internet) and em1 (intranet), no jails, no bridges. I use the rdr command of pf on interface epair0b to redirect the user to the correct mailserver before the packets leaves my FW on interface em1 (with nat and a pass rule using reply-to ( epair0b $ip_epair0a). I am not aware of another method to rewrite the destination address of an IPSec incoming packet on the same machine, therefore the use of epair. > Hmm, but then if you are using epairs to cross between network stacks, you are > changing boundries, indeed, so if you’d run ipsec on a single epair between two > VNETs, that might be interesting as well? I think epair should behave identical to em2 + em3 with a crossover cable, but I do not have enough network interfaces. > I guess we’ll need to find a couple of these places (epair, bridge, netgraph, …) > and make sure we strip all of the tags IFF we change the VNET? I think so. One example is mentioned in lists.freebsd.org/pipermail/freebsd-net/2012-January/031161.html for Clients using a VPN with L2TP over IPSec (racoon + mpd5). Dr. Andreas Longwitz Data Service GmbH Beethovenstr. 2A 23617 Stockelsdorf Amtsgericht Lübeck, HRB 318 BS Geschäftsführer: Wilfried Paepcke, Dr. Andreas Longwitz, Josef Flatau
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?569D6F22.1000405>