Date: Tue, 19 Nov 2002 19:55:35 +0100 From: Guido van Rooij <guido@gvr.org> To: David Kelly <dkelly@hiwaay.net> Cc: Scott Ullrich <sullrich@CRE8.COM>, 'Archie Cobbs' <archie@dellroad.org>, "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec packets seen on wrong interface by ipfw (was Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw?) Message-ID: <20021119185535.GC43039@gvr.gvr.org> In-Reply-To: <20021119161129.GA63943@grumpy.dyndns.org> References: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C35@exchange.corp.cre8.com> <20021119110336.GA12956@gvr.gvr.org> <200211190754.29355.dkelly@HiWAAY.net> <20021119150826.GA42097@gvr.gvr.org> <20021119161129.GA63943@grumpy.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 19, 2002 at 10:11:29AM -0600, David Kelly wrote: > > Once the ipsec history is removed from the packet then how/what/where is > the packet tagged as having come from? In my case it appears to have It is tagged as any other packet. > retained properties of the ESP packet it was encased within. Don't > really know as I don't have multiple interfaces with ESP packets. The > system is in production so I can't casually swap interfaces to verify. > > At some point since early October when this system was previously > updated these IPsec packets started appearing on the wrong interface in > ipfw. Currently only one end of my link is updated, the other end is > running with the same configuration it has used for the past 9 months. > With configured (but apparently unused) gif and everything. What do you mean with wrong interface? What I did was remove the ipsec history check in ip_input(). What happens in you case is that ip packet come in, are fed into ipfw, then they are decrypted in esp_input() and then fed into the ip subprotocol directly from esp_input(). The code I removed only appears in the first call to ip_input(), but the code would not have any effect in that case. The only way that this removal could have an effect is when esp_input() called xxx_input() which in turn calls ip_input() again. Since you are not using a tunneling device, this does not happen. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021119185535.GC43039>