Date: Sat, 05 Nov 2011 14:03:45 +0100 From: Tomasz Marszal <kapral@toya.net.pl> To: <freebsd-stable@freebsd.org> Subject: l2tp pass by pf Message-ID: <204c953d2485fd685b3f6a6cc30b2e21@toya.net.pl> In-Reply-To: <20111105120033.93D3910656E7@hub.freebsd.org> References: <20111105120033.93D3910656E7@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 5 Nov 2011 12:00:33 +0000 (UTC), freebsd-stable-request@freebsd.org wrote: > Send freebsd-stable mailing list submissions to > freebsd-stable@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > or, via email, send a message with subject or body 'help' to > freebsd-stable-request@freebsd.org > > You can reach the person managing the list at > freebsd-stable-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-stable digest..." > > > Today's Topics: > > 1. Re: fbsd 8.2, L2TP over IPsec and pf ? (Kurt Jaeger) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 4 Nov 2011 14:18:56 +0100 > From: Kurt Jaeger <lists@c0mplx.org> > Subject: Re: fbsd 8.2, L2TP over IPsec and pf ? > To: freebsd-stable@freebsd.org > Message-ID: <20111104131856.GD68080@home.opsec.eu> > Content-Type: text/plain; charset=us-ascii > > Hi! > >> I'm building a setup for incoming L2TP over IPsec connections >> using FreeBSD 8.2-REL. >> >> IPsec based on ports/security/ipsec-tools, the l2tp part >> works from net/mpd5/. >> >> If I disable the PF rules, everything works. >> >> If I enable the PF rules, the IPsec connection still comes up, >> but the L2TP requests are lost somewhere in the PF rules 8-( >> >> Interestingly, tcpdump enc0 does not see any encrypted packets (!) >> as long as the PF rules are active. >> >> Any hits on the PF rules required to allow those packets in ? I dont know the exect rules but you can try log all the outgoing and incoming packets by rules pass in quick log all pass out quick log all and then see what is going on by displaying logs on your console tcpdump -n -e -ttt -i pflog0 finaly send packets threw firewall and see what to pass by adding apropriet rule to your firewall Usefoul hint use some other firewall like ipfw or ipf when you disable your pf the same thing you should do when you pass all the packets by pf > Turns out: ESP in/out was missing. set debug misc in the pf.conf > is worth a lot 8-) > > Thanks for all help (by private mail). > > I'll try to document this setup on some webpage (but this will take > 1-2 month due to other projects 8-(
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?204c953d2485fd685b3f6a6cc30b2e21>