Date: Sat, 08 Feb 2003 18:22:31 +0900 From: Peter Haight <peterh@sapros.com> To: freebsd-stable@freebsd.org Cc: Steve Bertrand <iaccounts@northnetworks.ca> Subject: Re: IPSEC problems after upgrade Message-ID: <200302080922.h189MVM7007640@i19-069.us.catvmics.ne.jp>
next in thread | raw e-mail | index | archive | help
I figured out what the problem was, so I thought I'd post the solution because I never found it when I was searching the archives. Basically, there was a change to the way IPSEC worked and the end result is that the packets get run through the firewall after they get decrypted and so they look like they are coming from an internal network on an external interface and so they get rejected by a firewall rule that was rejecting private network ip addresses. The reason the 'inbound packets violated process security policy' counter was increasing was because the packets were going through NAT and after that they didn't match the SPD. Anyway, I've got everything working again. Someone might want to add a note to the IPSEC handbook docs explaining about this firewall issue and maybe the NAT thing as well. > I've now upgraded two machines that I use as IPSEC tunnel endpoints to > create a VPN. I used to use a script to setup the VPN that I will post > below, but that script no longer works and I haven't been able to figure out > why. Before I upgraded, the VPN was working fine. (Though maybe I had some > security hole that is now caught by FreeBSD and is preventing my VPN from > working.) > > .... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302080922.h189MVM7007640>