Solved FreeBSD 10 upgraded ipsec/vpn/l2tp/pf -trafic problem ng0

spag

Member

Reaction score: 6
Messages: 47

Hi,

After upgrading from 9.1 to 10.0 I find out strange issue with IPSEC . It looks like tunnel works, I can make pings but actually cant send any data. It is NATT is enabled(Lan2lan). I am even not sure where to look as it was working fine on FreeBSD 9.1. Maybe someone has similar issue or is able to point me to correct direction for solving this problem.
Thanks,

Code:
# tcpdump -i ng0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ng0, link-type NULL (BSD loopback), capture size 65535 bytes
22:45:50.530535 IP 192.168.1.2 > 10.0.0.2: ICMP echo request, id 1, seq 65, length 40
22:45:50.530547 IP 10.0.0.2 > 192.168.1.2: ICMP echo reply, id 1, seq 65, length 40
22:45:51.534522 IP 192.168.1.2 > 10.0.0.2: ICMP echo request, id 1, seq 66, length 40
22:45:51.534532 IP 10.0.0.2 > 192.168.1.2: ICMP echo reply, id 1, seq 66, length 40
22:45:52.539462 IP 192.168.1.2 > 10.0.0.2: ICMP echo request, id 1, seq 67, length 40
22:45:52.539469 IP 10.0.0.2 > 192.168.1.2: ICMP echo reply, id 1, seq 67, length 40
22:45:53.543682 IP 192.168.1.2 > 10.0.0.2: ICMP echo request, id 1, seq 68, length 40
22:45:53.543691 IP 10.0.0.2 > 192.168.1.2: ICMP echo reply, id 1, seq 68, length 40
22:46:02.040994 IP 192.168.1.2.60467 > 10.45.45.1.ssh: Flags [S], seq 2241597266, win 8192, options [mss 1240,nop,wscale 8,nop,nop,sackOK], length 0
22:46:05.041194 IP 192.168.1.2.60467 > 10.45.45.1.ssh: Flags [S], seq 2241597266, win 8192, options [mss 1240,nop,wscale 8,nop,nop,sackOK], length 0
22:46:11.041468 IP 192.168.1.2.60467 > 10.45.45.1.ssh: Flags [S], seq 2241597266, win 8192, options [mss 1240,nop,nop,sackOK], length 0
22:46:57.198352 IP 192.168.1.2.60474 > 10.0.0.2.ssh: Flags [S], seq 3742865512, win 8192, options [mss 1240,nop,wscale 8,nop,nop,sackOK], length 0
22:47:00.199191 IP 192.168.1.2.60474 > 10.0.0.2.ssh: Flags [S], seq 3742865512, win 8192, options [mss 1240,nop,wscale 8,nop,nop,sackOK], length 0
22:47:06.198648 IP 192.168.1.2.60474 > 10.0.0.2.ssh: Flags [S], seq 3742865512, win 8192, options [mss 1240,nop,nop,sackOK], length 0
pfctl -ss looks normally.

pf.conf:
Code:
pass in quick proto esp from any to any
pass in quick proto ah from any to any
pass in quick proto ipencap from any to any
pass in quick proto udp from any port = 500 to any port = 500
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto ipencap from any to any
pass out quick proto udp from any port = 500 to any port = 500
kernel options:
Code:
options         IPSEC
options         IPSEC_NAT_T
device          crypto
options         IPSEC_FILTERTUNNEL
device          enc
options         LIBALIAS
options         IPDIVERT
sysctl.conf:
Code:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
rc.conf:
Code:
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"
Other configs are used from handbook.
 
OP
spag

spag

Member

Reaction score: 6
Messages: 47

[solved]FreeBSD 10 upgraded ipsec/vpn/l2tp/pf trafic problem

added to pf.conf
Code:
set skip on {lo0, $vpn_if}
start working again.
 
Top