From owner-freebsd-ipfw  Tue Oct 23  3:41:34 2001
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mine.kame.net (kame195.kame.net [203.178.141.195])
	by hub.freebsd.org (Postfix) with ESMTP id 1654D37B405
	for <ipfw@freebsd.org>; Tue, 23 Oct 2001 03:41:31 -0700 (PDT)
Received: from localhost ([3ffe:501:4819:1000:260:1dff:fe21:f766])
	by mine.kame.net (8.11.1/3.7W) with ESMTP id f9NArLH33604;
	Tue, 23 Oct 2001 19:53:21 +0900 (JST)
To: bvi@itouchlabs.com
To: snap-users@kame.net, ipfw@freebsd.org
Subject: Re: (KAME-snap 5576) IPFW/IPSEC/NAT interaction issues with 4.4
In-Reply-To: Your message of "Tue, 23 Oct 2001 10:45:22 +0200"
	<20011023104522.E87507@itouchlabs.com>
References: <20011023104522.E87507@itouchlabs.com>
X-Mailer: Cue version 0.6 (010810-1737/sakane)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Message-Id: <20011023194123V.sakane@kame.net>
Date: Tue, 23 Oct 2001 19:41:23 +0900
From: Shoichi Sakane <sakane@kame.net>
X-Dispatcher: imput version 20000228(IM140)
Lines: 16
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

> I'm hoping someone here can shed some light on a problem I came across this
> morning. I have two VPN gateways connected to cisco VPN concentrators. 
> These are running Freebsd 4.2-RELEASE and 4.4-RELEASE.  The 4.2 based
> gateway has been functioning without hastles for a while now.  however when
> I configured the 4.4 based system this morning, I ran into the problem that
> the IP packets seem to ne be being re-injected into the firewall ruleset
> after the ESP decapsulation.  The firewall rulesets are identicle between
> the systems.  This re-injection is neccessary for me to be able to then
> place the packet into a divert socket feeding natd, and from there onto the
> client machines behind the VPN gateway.

how was the difference of the output of "netstat" before a encrypted
packet arrived at the freebsd vpn box, and after the packet went away
somewhere ?
i have a report that "unknown/unsupported protocol" in the ipsec section of
"netstat" is counted.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message