From owner-freebsd-questions@FreeBSD.ORG Wed Apr 16 15:00:04 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 598351065682 for ; Wed, 16 Apr 2008 15:00:04 +0000 (UTC) (envelope-from erik@cepheid.org) Received: from mail.cepheid.org (aleph.cepheid.org [72.232.60.94]) by mx1.freebsd.org (Postfix) with ESMTP id 419878FC1D for ; Wed, 16 Apr 2008 15:00:04 +0000 (UTC) (envelope-from erik@cepheid.org) Received: by mail.cepheid.org (Postfix, from userid 1006) id 8E4AB9B4002; Wed, 16 Apr 2008 10:00:03 -0500 (CDT) Date: Wed, 16 Apr 2008 10:00:03 -0500 From: Erik Osterholm To: Roman Otsaljuk Message-ID: <20080416150003.GA16773@aleph.cepheid.org> Mail-Followup-To: Erik Osterholm , Roman Otsaljuk , freebsd-questions@freebsd.org References: <4805C08A.1060308@upstar.com.ua> <1208338114.7003.1.camel@norman-laptop> <4805CF37.70008@upstar.com.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4805CF37.70008@upstar.com.ua> User-Agent: Mutt/1.4.2.3i Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD7 + pf + ipsec X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2008 15:00:04 -0000 On Wed, Apr 16, 2008 at 01:04:39PM +0300, Roman Otsaljuk wrote: > Norman Maurer ?????: > > Am Mittwoch, den 16.04.2008, 12:02 +0300 schrieb Roman Otsaljuk: > > > >> hi all. > >> i have two localnets linked over ipsec: > >> > >> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html > >> > >> network schema: > >> > >> 192.168.0.0/24 <---> [192.168.0.12=freebsd=2.2.2.2] <--inet--> > >> [1.1.1.1=freebsd1=10.31.0.5] <---->10.31.0.5/26 > >> > >> on both points was 6.2, firewall - pf. > >> after updating to 7.0 vpn doesn't work: > >> 0) pings go normal > >> 0) tcp packets go too, but third packet with R flag: > >> from 192.168.0.12 try: ssh 10.31.0.42, on second console: > >> mail# tcpdump -ni gif0 > >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > >> listening on gif0, link-type NULL (BSD loopback), capture size 68 bytes > >> 10:49:43.912469 IP 192.168.0.12.63996 > 10.31.0.42.22: S 1756351354:1756351354(0) win 65535 > >> 10:49:43.936245 IP 217.20.174.35 > 195.43.43.238: IP 10.31.0.42.22 > 192.168.0.12.63996: S 4244314344:4244314344(0) ack 1756351355 win 65535 (ipip-proto-4) > >> 10:49:43.936360 IP 192.168.0.12.63996 > 10.31.0.42.22: R 1318200353:1318200353(0) win 0 > >> > >> 0) adding the first rule (pass quick all) on both - without changes; > >> 0) downing pf: in localnet, in wich pf downed - all good. > >> > >> > >> any ideas? > >> > >> > >> p.s. the same if IPsec replaced by vpnd-------- > >> sorry my bad English > >> > > > > Freebsd 7.0 use the "new" ipsec implementation (IPSEC_FAST) so you need > > to allow ipencap protocol too.. > > > > Cheers > > Norman > > > > > > > > > > is not rule "pass quick all" allows ipencap? Try specifying it specifically. I seem to recall that only certain protocols are passed unless specificially specified, though I can't find documentation on that. Erik