From owner-freebsd-stable Sat Feb 8 1:22:34 2003 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E4F537B401 for ; Sat, 8 Feb 2003 01:22:33 -0800 (PST) Received: from i19-069.us.catvmics.ne.jp (i19-069.us.catvmics.ne.jp [202.238.34.69]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D90C43FBF for ; Sat, 8 Feb 2003 01:22:27 -0800 (PST) (envelope-from peterh@sapros.com) Received: from localhost (localhost [127.0.0.1]) by i19-069.us.catvmics.ne.jp (8.12.6/8.12.6) with ESMTP id h189MVM7007640; Sat, 8 Feb 2003 18:22:32 +0900 (JST) (envelope-from peterh@i19-069.us.catvmics.ne.jp) Message-Id: <200302080922.h189MVM7007640@i19-069.us.catvmics.ne.jp> To: freebsd-stable@freebsd.org Cc: Steve Bertrand Subject: Re: IPSEC problems after upgrade Date: Sat, 08 Feb 2003 18:22:31 +0900 From: Peter Haight Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I figured out what the problem was, so I thought I'd post the solution because I never found it when I was searching the archives. Basically, there was a change to the way IPSEC worked and the end result is that the packets get run through the firewall after they get decrypted and so they look like they are coming from an internal network on an external interface and so they get rejected by a firewall rule that was rejecting private network ip addresses. The reason the 'inbound packets violated process security policy' counter was increasing was because the packets were going through NAT and after that they didn't match the SPD. Anyway, I've got everything working again. Someone might want to add a note to the IPSEC handbook docs explaining about this firewall issue and maybe the NAT thing as well. > I've now upgraded two machines that I use as IPSEC tunnel endpoints to > create a VPN. I used to use a script to setup the VPN that I will post > below, but that script no longer works and I haven't been able to figure out > why. Before I upgraded, the VPN was working fine. (Though maybe I had some > security hole that is now caught by FreeBSD and is preventing my VPN from > working.) > > .... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message