Date: Sun, 30 Oct 2011 15:42:11 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: IPsec woes in 8.2 Message-ID: <CAHu1Y73yrKcGszs637zr3zYcNP4-ziiZek7F_07t==WH%2Bv1K9Q@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
I've been trying to upgrade a client firewall to 8.2, but have an odd problem. The current config, based on 7.4, has the firewall as an IPsec endpoint for other offices, but also is doing 1:1 NAT and passing L2TP traffic to a VPN endpoint inside the firewall. The upgrade to 8.2 breaks the L2TP traffic through the firewall. I see the ISAKMP traffic, phase 1 and phase 2, but the UDP-encap: ESP packets seen on the outside of the firewall are no longer passed through, as evidence by the following (sorry for obscuring the public IP addresses, you can still read it). Any suggestions? reading from file l2tp_inside_capture.pcap.pcap, link-type EN10MB (Ethernet) 13:21:51.554271 IP A.B.C.D.32201 > 172.17.1.107.500: isakmp: phase 1 I ident 13:21:51.555192 IP 172.17.1.107.500 > A.B.C.D.32201: isakmp: phase 1 R ident 13:21:51.576756 IP A.B.C.D.32201 > 172.17.1.107.500: isakmp: phase 1 I ident 13:21:51.581808 IP 172.17.1.107.500 > A.B.C.D.32201: isakmp: phase 1 R ident 13:21:51.600743 IP A.B.C.D.37762 > 172.17.1.107.4500: NONESP-encap: isakmp: phase 1 I ident[E] 13:21:51.601082 IP 172.17.1.107.4500 > A.B.C.D.37762: NONESP-encap: isakmp: phase 1 R ident[E] 13:21:52.617401 IP A.B.C.D.37762 > 172.17.1.107.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E] 13:21:52.618170 IP 172.17.1.107.4500 > A.B.C.D.37762: NONESP-encap: isakmp: phase 2/others R oakley-quick[E] 13:21:52.629397 IP A.B.C.D.37762 > 172.17.1.107.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E] 13:22:11.776889 IP 172.17.1.107.4500 > A.B.C.D.37762: isakmp-nat-keep-alive 13:22:12.642584 IP A.B.C.D.37762 > 172.17.1.107.4500: NONESP-encap: isakmp: phase 2/others I inf[E] 13:22:12.642586 IP A.B.C.D.37762 > 172.17.1.107.4500: NONESP-encap: isakmp: phase 2/others I inf[E] reading from file l2tp_outside_capture.pcap.pcap, link-type EN10MB (Ethernet) 13:21:51.470254 IP A.B.C.D.32201 > E.F.G.H.500: isakmp: phase 1 I ident 13:21:51.558259 IP E.F.G.H.500 > A.B.C.D.32201: isakmp: phase 1 R ident 13:21:51.577845 IP A.B.C.D.32201 > E.F.G.H.500: isakmp: phase 1 I ident 13:21:51.584205 IP E.F.G.H.500 > A.B.C.D.32201: isakmp: phase 1 R ident 13:21:51.602096 IP A.B.C.D.37762 > E.F.G.H.4500: NONESP-encap: isakmp: phase 1 I ident[E] 13:21:51.603197 IP E.F.G.H.4500 > A.B.C.D.37762: NONESP-encap: isakmp: phase 1 R ident[E] 13:21:52.618053 IP A.B.C.D.37762 > E.F.G.H.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E] 13:21:52.620045 IP E.F.G.H.4500 > A.B.C.D.37762: NONESP-encap: isakmp: phase 2/others R oakley-quick[E] 13:21:52.630504 IP A.B.C.D.37762 > E.F.G.H.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E] 13:21:52.632112 IP A.B.C.D.37762 > E.F.G.H.4500: UDP-encap: ESP(spi=0x08278f54,seq=0x1), length 116 13:21:53.255200 IP A.B.C.D.37762 > E.F.G.H.4500: UDP-encap: ESP(spi=0x08278f54,seq=0x2), length 116 13:21:55.255914 IP A.B.C.D.37762 > E.F.G.H.4500: UDP-encap: ESP(spi=0x08278f54,seq=0x3), length 116 13:21:59.256397 IP A.B.C.D.37762 > E.F.G.H.4500: UDP-encap: ESP(spi=0x08278f54,seq=0x4), length 116 13:22:07.257594 IP A.B.C.D.37762 > E.F.G.H.4500: UDP-encap: ESP(spi=0x08278f54,seq=0x5), length 116 13:22:12.193516 IP A.B.C.D.37762 > E.F.G.H.4500: isakmp-nat-keep-alive 13:22:12.643129 IP A.B.C.D.37762 > E.F.G.H.4500: NONESP-encap: isakmp: phase 2/others I inf[E] 13:22:12.643841 IP A.B.C.D.37762 > E.F.G.H.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y73yrKcGszs637zr3zYcNP4-ziiZek7F_07t==WH%2Bv1K9Q>