From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 08:15:34 2007 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E74116A417 for ; Mon, 13 Aug 2007 08:15:34 +0000 (UTC) (envelope-from emss@free.fr) Received: from kraid.nerim.net (kraid.ipv6.nerim.net [IPv6:2001:7a8:1:1::95]) by mx1.freebsd.org (Postfix) with ESMTP id 90F1613C465 for ; Mon, 13 Aug 2007 08:15:33 +0000 (UTC) (envelope-from emss@free.fr) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by kraid.nerim.net (Postfix) with ESMTP id 59243CF136 for ; Mon, 13 Aug 2007 10:15:31 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by srvbsdnanssv.interne.kisoft-services.com (Postfix) with ESMTP id 6DD12C143 for ; Mon, 13 Aug 2007 10:15:30 +0200 (CEST) X-Virus-Scanned: amavisd-new at interne.kisoft-services.com Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) by localhost (srvbsdnanssv.interne.kisoft-services.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kAWdqyzrGEdc for ; Mon, 13 Aug 2007 10:15:23 +0200 (CEST) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 24605D20E; Mon, 13 Aug 2007 10:15:23 +0200 (CEST) To: Mailing List FreeBSD Network From: Eric Masson X-Operating-System: FreeBSD 6.2-RELEASE-p7 i386 Date: Mon, 13 Aug 2007 10:15:22 +0200 Message-ID: <867inzn945.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit Cc: Subject: pf rdr statement & ipsec processing interaction X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 08:15:34 -0000 Hello, I'm trying to setup a FreeBSD 6.2 box as l2tp/ipsec server for MS workstations (FAST_IPSEC + Yvan's NAT-T patch) Thanks to mpd4, the l2tp part works fine, as the box could in fine have only a dynamic ip address, I've made mpd listen on a loopback interface on the box and then redirected incoming l2tp traffic to this loopback interface : $ ifconfig lo1 lo1: flags=8049 mtu 16384 inet 10.127.0.1 netmask 0xff000000 $ cat /usr/local/etc/mpd4/mpd.links l2tp1: set link type l2tp set l2tp self 10.127.0.1 set l2tp enable incoming set l2tp disable originate $ cat /etc/pf.conf ext_if="vxn0" rdr on $ext_if proto udp from any to ($ext_if) port 1701 -> 10.127.0.1 port 1701 If ipsec isn't enabled (no spd & no racoon running on the freebsd side, ipsec disabled on the xp box), this setup works fine. If ipsec is enabled on the box and on the xp box, phase I & phase II succeed but mpd4 doesn't get any l2tp packet. If I setup mpd4 to listen on the external interface address and disable pf rdr rule, everything works fine (ipsec enabled or disabled) >From this, it seems that pf rdr rule isn't applied to the incoming l2tp packets once they've been ipsec processed. Is this an expected behaviour or a bug ? TIA Regards Éric Masson -- tenir à bout de bras un câble ethernet qui traverse une salle de restau pour pas qu'il tombe dans les tiramisu, pendant que d'autres parlent en infrarouge, c'est bien la vraie vie, n'est-ce pas ? -+- DA in Guide du Macounet Pervers : http://www.le-visconti.net/ -+-