From owner-freebsd-questions@FreeBSD.ORG  Sun Oct 30 22:42:13 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 25CEE106566C
	for <freebsd-questions@freebsd.org>;
	Sun, 30 Oct 2011 22:42:13 +0000 (UTC)
	(envelope-from kudzu@tenebras.com)
Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com
	[74.125.82.182])
	by mx1.freebsd.org (Postfix) with ESMTP id B5E6B8FC12
	for <freebsd-questions@freebsd.org>;
	Sun, 30 Oct 2011 22:42:12 +0000 (UTC)
Received: by wyh11 with SMTP id 11so1328662wyh.13
	for <freebsd-questions@freebsd.org>;
	Sun, 30 Oct 2011 15:42:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.227.206.211 with SMTP id fv19mr14385741wbb.27.1320014531518;
	Sun, 30 Oct 2011 15:42:11 -0700 (PDT)
Received: by 10.180.81.193 with HTTP; Sun, 30 Oct 2011 15:42:11 -0700 (PDT)
Date: Sun, 30 Oct 2011 15:42:11 -0700
Message-ID: <CAHu1Y73yrKcGszs637zr3zYcNP4-ziiZek7F_07t==WH+v1K9Q@mail.gmail.com>
From: Michael Sierchio <kudzu@tenebras.com>
To: FreeBSD Questions <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Subject: IPsec woes in 8.2
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Oct 2011 22:42:13 -0000

I've been trying to upgrade a client firewall to 8.2, but have an odd
problem.  The current config, based on 7.4, has the firewall as an
IPsec endpoint for other offices, but also is doing 1:1 NAT and
passing L2TP traffic to a VPN endpoint inside the firewall.

The upgrade to 8.2 breaks the L2TP traffic through the firewall.  I
see the ISAKMP traffic, phase 1 and phase 2, but the UDP-encap: ESP
packets seen on the outside of the firewall are no longer passed
through, as evidence by the following (sorry for obscuring the public
IP addresses, you can still read it).

Any suggestions?


reading from file l2tp_inside_capture.pcap.pcap, link-type EN10MB (Ethernet)
13:21:51.554271 IP A.B.C.D.32201 > 172.17.1.107.500: isakmp: phase 1 I ident
13:21:51.555192 IP 172.17.1.107.500 > A.B.C.D.32201: isakmp: phase 1 R ident
13:21:51.576756 IP A.B.C.D.32201 > 172.17.1.107.500: isakmp: phase 1 I ident
13:21:51.581808 IP 172.17.1.107.500 > A.B.C.D.32201: isakmp: phase 1 R ident
13:21:51.600743 IP A.B.C.D.37762 > 172.17.1.107.4500: NONESP-encap:
isakmp: phase 1 I ident[E]
13:21:51.601082 IP 172.17.1.107.4500 > A.B.C.D.37762: NONESP-encap:
isakmp: phase 1 R ident[E]
13:21:52.617401 IP A.B.C.D.37762 > 172.17.1.107.4500: NONESP-encap:
isakmp: phase 2/others I oakley-quick[E]
13:21:52.618170 IP 172.17.1.107.4500 > A.B.C.D.37762: NONESP-encap:
isakmp: phase 2/others R oakley-quick[E]
13:21:52.629397 IP A.B.C.D.37762 > 172.17.1.107.4500: NONESP-encap:
isakmp: phase 2/others I oakley-quick[E]
13:22:11.776889 IP 172.17.1.107.4500 > A.B.C.D.37762: isakmp-nat-keep-alive
13:22:12.642584 IP A.B.C.D.37762 > 172.17.1.107.4500: NONESP-encap:
isakmp: phase 2/others I inf[E]
13:22:12.642586 IP A.B.C.D.37762 > 172.17.1.107.4500: NONESP-encap:
isakmp: phase 2/others I inf[E]

reading from file l2tp_outside_capture.pcap.pcap, link-type EN10MB (Ethernet)
13:21:51.470254 IP A.B.C.D.32201 > E.F.G.H.500: isakmp: phase 1 I ident
13:21:51.558259 IP E.F.G.H.500 > A.B.C.D.32201: isakmp: phase 1 R ident
13:21:51.577845 IP A.B.C.D.32201 > E.F.G.H.500: isakmp: phase 1 I ident
13:21:51.584205 IP E.F.G.H.500 > A.B.C.D.32201: isakmp: phase 1 R ident
13:21:51.602096 IP A.B.C.D.37762 > E.F.G.H.4500: NONESP-encap: isakmp:
phase 1 I ident[E]
13:21:51.603197 IP E.F.G.H.4500 > A.B.C.D.37762: NONESP-encap: isakmp:
phase 1 R ident[E]
13:21:52.618053 IP A.B.C.D.37762 > E.F.G.H.4500: NONESP-encap: isakmp:
phase 2/others I oakley-quick[E]
13:21:52.620045 IP E.F.G.H.4500 > A.B.C.D.37762: NONESP-encap: isakmp:
phase 2/others R oakley-quick[E]
13:21:52.630504 IP A.B.C.D.37762 > E.F.G.H.4500: NONESP-encap: isakmp:
phase 2/others I oakley-quick[E]
13:21:52.632112 IP A.B.C.D.37762 > E.F.G.H.4500: UDP-encap:
ESP(spi=0x08278f54,seq=0x1), length 116
13:21:53.255200 IP A.B.C.D.37762 > E.F.G.H.4500: UDP-encap:
ESP(spi=0x08278f54,seq=0x2), length 116
13:21:55.255914 IP A.B.C.D.37762 > E.F.G.H.4500: UDP-encap:
ESP(spi=0x08278f54,seq=0x3), length 116
13:21:59.256397 IP A.B.C.D.37762 > E.F.G.H.4500: UDP-encap:
ESP(spi=0x08278f54,seq=0x4), length 116
13:22:07.257594 IP A.B.C.D.37762 > E.F.G.H.4500: UDP-encap:
ESP(spi=0x08278f54,seq=0x5), length 116
13:22:12.193516 IP A.B.C.D.37762 > E.F.G.H.4500: isakmp-nat-keep-alive
13:22:12.643129 IP A.B.C.D.37762 > E.F.G.H.4500: NONESP-encap: isakmp:
phase 2/others I inf[E]
13:22:12.643841 IP A.B.C.D.37762 > E.F.G.H.4500: NONESP-encap: isakmp:
phase 2/others I inf[E]