From owner-freebsd-stable  Sat Feb  8  1:22:34 2003
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8E4F537B401
	for <freebsd-stable@freebsd.org>; Sat,  8 Feb 2003 01:22:33 -0800 (PST)
Received: from i19-069.us.catvmics.ne.jp (i19-069.us.catvmics.ne.jp [202.238.34.69])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6D90C43FBF
	for <freebsd-stable@freebsd.org>; Sat,  8 Feb 2003 01:22:27 -0800 (PST)
	(envelope-from peterh@sapros.com)
Received: from localhost (localhost [127.0.0.1])
	by i19-069.us.catvmics.ne.jp (8.12.6/8.12.6) with ESMTP id h189MVM7007640;
	Sat, 8 Feb 2003 18:22:32 +0900 (JST)
	(envelope-from peterh@i19-069.us.catvmics.ne.jp)
Message-Id: <200302080922.h189MVM7007640@i19-069.us.catvmics.ne.jp>
To: freebsd-stable@freebsd.org
Cc: Steve Bertrand <iaccounts@northnetworks.ca>
Subject: Re: IPSEC problems after upgrade 
Date: Sat, 08 Feb 2003 18:22:31 +0900
From: Peter Haight <peterh@sapros.com>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

I figured out what the problem was, so I thought I'd post the solution
because I never found it when I was searching the archives. Basically, there
was a change to the way IPSEC worked and the end result is that the packets
get run through the firewall after they get decrypted and so they look like
they are coming from an internal network on an external interface and so
they get rejected by a firewall rule that was rejecting private network ip
addresses.

The reason the 'inbound packets violated process security policy' counter
was increasing was because the packets were going through NAT and after
that they didn't match the SPD.

Anyway, I've got everything working again. Someone might want to add a note
to the IPSEC handbook docs explaining about this firewall issue and maybe
the NAT thing as well.

> I've now upgraded two machines that I use as IPSEC tunnel endpoints to
> create a VPN. I used to use a script to setup the VPN that I will post
> below, but that script no longer works and I haven't been able to figure out
> why. Before I upgraded, the VPN was working fine. (Though maybe I had some
> security hole that is now caught by FreeBSD and is preventing my VPN from
> working.)
> 
> ....


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message