From owner-freebsd-stable  Thu Nov 21  7: 4:46 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EA38F37B401
	for <FreeBSD-stable@FreeBSD.ORG>; Thu, 21 Nov 2002 07:04:44 -0800 (PST)
Received: from hugo10.ka.punkt.de (kagate.punkt.de [217.29.33.131])
	by mx1.FreeBSD.org (Postfix) with SMTP id C941843E3B
	for <FreeBSD-stable@FreeBSD.ORG>; Thu, 21 Nov 2002 07:04:43 -0800 (PST)
	(envelope-from hausen@punkt.de)
Received: from hugo10.ka.punkt.de (localhost [127.0.0.1])
	by hugo10.ka.punkt.de (8.12.3/8.12.3) with ESMTP id gALF4SZE086711;
	Thu, 21 Nov 2002 16:04:28 +0100 (CET)
	(envelope-from ry93@hugo10.ka.punkt.de)
Received: (from ry93@localhost)
	by hugo10.ka.punkt.de (8.12.3/8.12.3/Submit) id gALF4Sej086710;
	Thu, 21 Nov 2002 16:04:28 +0100 (CET)
From: "Patrick M. Hausen" <hausen@punkt.de>
Message-Id: <200211211504.gALF4Sej086710@hugo10.ka.punkt.de>
Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND
 QUESTIONS
In-Reply-To: <20021121145332.GA57883@grumpy.dyndns.org>
To: David Kelly <dkelly@hiwaay.net>
Date: Thu, 21 Nov 2002 16:04:28 +0100 (CET)
Cc: "Patrick M. Hausen" <hausen@punkt.de>,
	Helge Oldach <freebsd-stable-21nov02@oldach.net>,
	archie@dellroad.org, guido@gvr.org, sullrich@CRE8.COM,
	greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL92 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Hi!

> Glad I didn't know this in advance as that is exactly what I believe I
> have. Two FreeBSD systems, one on each end connected to cable modem.
> About 8 machines behind one on 192.168.100.0/24 and 10 or 15 behind the
> other on 10.0.0.0/24. An ESP tunnel between.

;-)

> Other than my decrypted packets have started appearing to ipfw as if
> they were coming from fxp1 (which is what started this mess) everything
> else is working just fine.

It is only filtering the decrypted packets that I'm talking about
all the time. It's impossible to build a filter that says:

- ESP from my peer is OK
- 10... to 192.168... is OK if it's coming out of the ESP tunnel
- 10... to 192.168... is _not_ OK if it's coming in my external IF
  in plain text

If you want to allow the derypted traffic in, you have to allow all
traffic with identical addresses, even if it hasn't arrived
through the ESP tunnel but just came to the outside IF of your
network by some other route. 

Regards,

Patrick M. Hausen
Technical Director
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Scheffelstr. 17 a     Tel. 0721 9109 -0 Fax: -100
76135 Karlsruhe       http://punkt.de

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message