From owner-freebsd-stable Tue Nov 19 12:35:47 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B508237B401 for ; Tue, 19 Nov 2002 12:35:45 -0800 (PST) Received: from rerun.avayactc.com (rerun.avayactc.com [199.93.237.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE66E43E91 for ; Tue, 19 Nov 2002 12:35:44 -0800 (PST) (envelope-from mcambria@avaya.com) Received: by rerun.avayactc.com with Internet Mail Service (5.5.2653.19) id ; Tue, 19 Nov 2002 15:35:32 -0500 Message-ID: <3A6D367EA1EFD4118C9B00A0C9DD99D7E4EF40@rerun.avayactc.com> From: "Cambria, Mike" To: 'Archie Cobbs' , Guido van Rooij Cc: David Kelly , Scott Ullrich , "'greg.panula@dolaninformation.com'" , FreeBSD-stable@FreeBSD.ORG Subject: RE: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? Date: Tue, 19 Nov 2002 15:35:31 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > -----Original Message----- > From: Archie Cobbs [mailto:archie@dellroad.org] > > I think the bug is that in esp4_input() the "detunneled" packet > is placed back onto the IP input queue 'ipintrq' without the > 'm->m_pkthdr.rcvif' being updated to point to the gif interface. It the packet _always_ placed back on ipintrq? This thread helped me with a problem I had. Since moving from 4.6-Stable (cvsup'ed just after 4.6.2-Rel) to 4.-7 a day ago, I found out that I now need to put ipfw rules in for traffic leaving the IPsec tunnel (IPsec tunnel mode, not gif + IPIP tunnels for IPsec transport mode.) The rules work _except_ in one case. That being when the end of the tunnel is also the end of the encapsulated traffic. Specifically, when I telnet to the tunnel endpoint itself, and there is an IPsec SPD entry to match on telnet traffic from any port on the source machine to port 23 on the tunnel endpoint machine. If the packet always goes back onto the ip input queue, I can't see why this traffic doesn't make it while packets routed through the machine work. Thanks, MikeC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message