Date: Tue, 19 Nov 2002 15:15:53 -0500 From: Scott Ullrich <sullrich@CRE8.COM> To: 'Guido van Rooij' <guido@gvr.org>, Scott Ullrich <sullrich@CRE8.COM> Cc: David Kelly <dkelly@hiwaay.net>, 'Archie Cobbs' <archie@dellroad.org>, "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, FreeBSD-stable@FreeBSD.ORG Subject: RE: IPsec packets seen on wrong interface by ipfw (was Re: IPsec/ gif VPN tunnel packets on wrong NIC in ipfw?) Message-ID: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C62@exchange.corp.cre8.com>
next in thread | raw e-mail | index | archive | help
Thanks for everyone's help with this. My problem was that I was using
tunnel instead of transport mode.
Thanks again to Archie and Guido for their help with this!
-Scott
-----Original Message-----
From: Guido van Rooij [mailto:guido@gvr.org]
Sent: Tuesday, November 19, 2002 2:24 PM
To: Scott Ullrich
Cc: David Kelly; 'Archie Cobbs'; 'greg.panula@dolaninformation.com';
FreeBSD-stable@FreeBSD.ORG
Subject: Re: IPsec packets seen on wrong interface by ipfw (was Re: IPsec/
gif VPN tunnel packets on wrong NIC in ipfw?)
On Tue, Nov 19, 2002 at 02:08:54PM -0500, Scott Ullrich wrote:
> Guido,
>
> I am using a tunneling device (gif0).
>
> How are we supposed to fix the issue with your patch installed? If we
> need to add more rules, that's fine but what would these rules be?
> Are they before the divert? After the divert, etc?
What divert? There should not be a need for a divert.
If you have a gif tunnel for ESP (like I described in a mail I just
sent):
Let's examine the following situation:
interfaces: fxp0, gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 192.168.100.1 --> 192.168.100.2
inet 10.0.0.1 --> 10.0.1.1 netmask 0xffffff00
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.100.1 netmask 0xffffff00 broadcast 192.168.100.255
Then suppose I have ESP betwee 10.0.0.1 and 10.0.1.1.
Then you should have rules allowing IPSECed packets in and out of fxp0,
rules allowing UDP traffic on port 500 in and out (ISAKMP) and rules in and
out from the gif device for the unecrypted packets.
You can use tcpdump to see what is on which interface.
Let me state that I am not an ipfw developer. But if tcpdump shows a packet
coming in or going out an interface, thehn ipfw should be able to filter
that packet _on that interface_.
-Guido
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2F6DCE1EFAB3BC418B5C324F13934C9601D23C62>