Hello guys,
I'm running FreeBSD 8.0 and I experience a problem with pf .
The network configuration is the following :
NetworkA (ipv6) <=> gwA (openbsd) <=> wan (ipv6/ipsec) <=> gwB (freebsd) <=> NetworkB (ipv6)
OpenBsd is running isakmpd , and seems working well. FreeBSD is running racoon (ipsec-tools from ports)
without pf enabled on freebsd ipv6/ipsec tunnel works well (tcpdump approves it) : machines on networkB access to networkA and machines on network A access to networkB
with pf enabled : tcpdump continues to show similar packets , machines on networkA continue to access to NetworkB BUT machines on networkB are blocked by PF, but for a singular reason.
pflog, shows unencrypted packets from NetworkA to NetworkB : example to an ssh connexion initiated from NetworkB to NetworkA (this applies to all protocols except ICMP) :
Please note the source port .
I've tcpdumped on openbsd, and no packet is transmitted in clear from NetworkA to NetworkB. pf is enabled on OpenBSD. I don't think OpenBSD is the problem.
when pf is disabled on freebsd, there no packet transmitted in clear from NetworkA to NetworkB : Only encrypted packets from gwA to gwB and from gwB to gwA.
So I think there is a problem after decryption of packet by racoon. But I don't see why.
For information : sample of pf.conf, which causes problem.
Any advice ?
Thanks.
Christophe.
I'm running FreeBSD 8.0 and I experience a problem with pf .
The network configuration is the following :
NetworkA (ipv6) <=> gwA (openbsd) <=> wan (ipv6/ipsec) <=> gwB (freebsd) <=> NetworkB (ipv6)
OpenBsd is running isakmpd , and seems working well. FreeBSD is running racoon (ipsec-tools from ports)
without pf enabled on freebsd ipv6/ipsec tunnel works well (tcpdump approves it) : machines on networkB access to networkA and machines on network A access to networkB
Code:
23:30:00.815393 IP6 freebsd > openbsd: ESP pi=0x0b9ef32c,seq=0xe), length 92
23:30:00.815546 IP6 openbsd > freebsd: ESP spi=0xf3cb2428,seq=0x1a), length 92
with pf enabled : tcpdump continues to show similar packets , machines on networkA continue to access to NetworkB BUT machines on networkB are blocked by PF, but for a singular reason.
pflog, shows unencrypted packets from NetworkA to NetworkB : example to an ssh connexion initiated from NetworkB to NetworkA (this applies to all protocols except ICMP) :
Code:
00:00:00.000000 IP6 MachineA.ssh > MachineB.52719: Flags [S.], seq 1862827950, ack 2014870766, win 5712, options [mss 1440,sackOK,TS val
211216935 ecr 257703668,nop,wscale 4], length 0
Please note the source port .
I've tcpdumped on openbsd, and no packet is transmitted in clear from NetworkA to NetworkB. pf is enabled on OpenBSD. I don't think OpenBSD is the problem.
when pf is disabled on freebsd, there no packet transmitted in clear from NetworkA to NetworkB : Only encrypted packets from gwA to gwB and from gwB to gwA.
So I think there is a problem after decryption of packet by racoon. But I don't see why.
For information : sample of pf.conf, which causes problem.
Code:
ext_if="sis0"
int_if="sis1"
set skip on { lo0 enc0 }
set state-policy if-bound
set block-policy return
scrub in all
block in log (all, to pflog0)
pass out keep state
pass in on $ext_if keep state
pass in on $int_if keep state
Any advice ?
Thanks.
Christophe.