Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 14 Aug 2007 12:54:59 +0200
From:      Eric Masson <emss@free.fr>
To:        "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Cc:        Mailing List FreeBSD Network <freebsd-net@FreeBSD.org>
Subject:   Re: pf rdr statement & ipsec processing interaction
Message-ID:  <86fy2mjsho.fsf@srvbsdnanssv.interne.kisoft-services.com>
In-Reply-To: <20070814101809.Q87821@maildrop.int.zabbadoz.net> (Bjoern A. Zeeb's message of "Tue, 14 Aug 2007 10:18:46 %2B0000 (UTC)")
References:  <867inzn945.fsf@srvbsdnanssv.interne.kisoft-services.com> <20070813091634.C87821@maildrop.int.zabbadoz.net> <86k5ryjutw.fsf@srvbsdnanssv.interne.kisoft-services.com> <20070814101809.Q87821@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
"Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> writes:

> ifconfig enc0 | grep UP
>
> if not, ifconfig enc0 up

Ok, this is better as mpd4 receives l2tp packets, thanks :)

emss@freebsd6:~> sudo /usr/local/sbin/mpd4
Multi-link PPP daemon for FreeBSD
process 1586 started, version 4.2.2 (root@freebsd6 22:09  9-Aug-2007)
CONSOLE: listening on 127.0.0.1 5005
[l2tp1] using interface ng1
[l2tp2] using interface ng2
[l2tp3] using interface ng3
[l2tp4] using interface ng4
[l2tp5] using interface ng5
L2TP: waiting for connection on 10.127.0.1 1701
Incoming L2TP packet from 192.168.1.105 1701

But from the dump on vxn0 interface, response packets are not passed to
the ipsec layer (192.168.1.105 is the remote XP host) :

emss@freebsd6:~> sudo tcpdump -n -i vxn0 not tcp port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vxn0, link-type EN10MB (Ethernet), capture size 96 bytes
12:43:50.408045 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 1 I ident
12:43:50.413619 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 1 R ident
12:43:50.472048 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 1 I ident
12:43:50.591613 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 1 R ident
12:43:50.863929 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 1 I ident[E]
12:43:50.939090 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 1 R ident[E]
12:43:50.943675 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I oakley-quick[E]
12:43:50.961028 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 2/others R oakley-quick[E]
12:43:50.977231 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I oakley-quick[E]
12:43:51.013177 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x1), length 140
12:43:51.064857 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:43:51.960621 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x2), length 140
12:43:51.962668 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB
12:43:52.020466 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:43:53.942587 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x3), length 140
12:43:53.943445 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB
12:43:53.943710 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:43:57.742123 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x4), length 140
12:43:57.745058 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB
12:43:57.789932 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:44:07.186961 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:44:07.208935 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x5), length 140
12:44:07.209418 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB
12:44:16.802284 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:44:16.849849 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x6), length 140
12:44:16.849860 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB
12:44:18.808989 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I inf[E]
12:44:18.821602 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I inf[E]
12:44:26.418196 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:44:36.033944 IP 192.168.1.231.1701 > 192.168.1.105.1701:  l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...

I dont really understand here as the ipsec selectors are the following :

emss@freebsd6:~> sudo /usr/local/sbin/setkey -DP
0.0.0.0/0[any] 192.168.1.231[1701] udp
        in ipsec
        esp/transport//require
        spid=1 seq=2 pid=2086
        refcnt=1
192.168.1.105[1701] 192.168.1.231[1701] udp
        in ipsec
        esp/transport//require
        spid=6 seq=1 pid=2086
        refcnt=1
192.168.1.231[1701] 192.168.1.105[1701] udp
        out ipsec
        esp/transport//require
        spid=7 seq=0 pid=2086
        refcnt=1

So outgoing l2tp packets should be esp transformed, right ?

Regards

Éric Masson

-- 
 E> desole mais je n est pas trop l habitude des groupes de discutions
 Leçon n° 1 : on répond en haut et on vire le message auquel on répond
 Cette suppression facilite grandement la lecture !!!
 -+- DrN in <http://www.le-gnu.net>; : Le Neuneu par l'exemple -+-

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86fy2mjsho.fsf>