Date: Mon, 05 Mar 2007 14:33:35 +0000 From: Tom Judge <tom@tomjudge.com> To: Volker Werth <vwerth@vwsoft.com> Cc: freebsd-pf@freebsd.org Subject: Re: Tracing packets passing through PF Message-ID: <45EC2A3F.3040208@tomjudge.com> In-Reply-To: <45EC1F41.2060202@vwsoft.com> References: <45E75454.2060302@tomjudge.com> <000601c75ca1$b4d7a570$1e86f050$@Hennessy@nviz.net> <45E7F00B.6010306@tomjudge.com> <001901c75cb1$040435a0$0c0ca0e0$@Hennessy@nviz.net> <45E81AC3.5020304@tomjudge.com> <003901c75e88$c1b7cd40$452767c0$@Hennessy@nviz.net> <45EBE118.1010602@tomjudge.com> <45EC1F41.2060202@vwsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Volker Werth wrote: > On 12/23/-58 20:59, Tom Judge wrote: >> The packet is not getting filtered it leaves the host and passes on the >> wire to the default gateway. There are no issues with the traffic being >> filtered by the originating hosts firewall, the problem is that the ESP >> packets next hop is not being modified by the source routing rule and is >> therefore being sent to the incorrect gateway, where the ISP filters the >> packet. It is only the ESP traffic that fails to be routed correctly, >> all other traffic is fine. It is almost as if the ESP packet never >> enters PF and is transmitted straight out onto the network, hence me >> starting this thread about being able to trace the packet through the >> stack. >> >> Tom > > Tom, > > could you describe a bit more in detail what you're doing with IPSec > and what you're trying to do using pf? I've not followed the whole > thread as I've had no time to read email over the weekend. If you > already posted all infos, please forgive me and point me to that > message. > > I've done a lot of work with IPSec (+ipsec_tools, racoon2 etc.) and > have also seen strange behaviour of ESP data not passing the firewall. > > Are you using IPSEC or FAST_IPSEC? Are you using GIF tunnels? Are > you using ENC? Could you please give us your routing table (partially)? > > Thanks, > > Volker Here is a simplified diagram of the network layout: http://www.tomjudge.com/tmp/tunnels.png The following configurations are from host A, host be is configured in an identical fashion with the changes made in the obvious places. The routing of the networks at each end of the tunnel is controlled by OSPF (using quagga). Racoon successfully negotiates the IPSEC connection with the remote host (all traffic during this stage passes through the firewall correctly). The problem appears when traffic is sent across the link and IPSEC is sending the ESP packets which fail to pass through PF (or that is what it would seem). Kernel Config (Relevent sections): device gif # IPv6 and IPv4 tunneling device carp device pf device pflog device pfsync options IPSEC options IPSEC_ESP options IPSEC_FILTERGIF options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build ifconfig: bge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING> inet 10.0.0.46 netmask 0xff000000 broadcast 10.255.255.255 ether 00:11:43:37:2e:2e media: Ethernet autoselect (1000baseTX <full-duplex>) status: active bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING> inet 111.0.0.2 netmask 0xffffffe0 broadcast 111.0.0.31 inet 112.0.0.2 netmask 0xffffffe0 broadcast 112.0.0.31 ether 00:11:43:37:2e:2f media: Ethernet autoselect (1000baseTX <full-duplex>) status: active gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 tunnel inet 111.0.0.2 --> 113.0.0.2 inet 192.168.174.1 --> 192.168.174.2 netmask 0xfffffffc gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 tunnel inet 112.0.0.2 --> 114.0.0.2 inet 192.168.174.5 --> 192.168.174.6 netmask 0xfffffffc netstat -rn with excess entries removed: Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 111.0.0.1 UGS 6 1107473272 bge1 10 link#1 UC 0 0 bge0 111.0.0.0/27 link#2 UC 0 0 bge1 112.0.0.0/27 link#2 UC 0 0 bge1 /etc/ipsec.conf: spdadd 111.0.0.2/32 113.0.0.2/32 ipencap -P out ipsec esp/tunnel/111.0.0.2-113.0.0.2/require; spdadd 113.0.0.2/32 111.0.0.2/32 ipencap -P in ipsec esp/tunnel/113.0.0.2-111.0.0.2/require; spdadd 112.0.0.2/32 114.0.0.2/32 ipencap -P out ipsec esp/tunnel/112.0.0.2-114.0.0.2/require; spdadd 114.0.0.2/32 112.0.0.2/32 ipencap -P in ipsec esp/tunnel/114.0.0.2-112.0.0.2/require; /usr/local/etc/racoon/racoon.conf (Appropriate sections): path pre_shared_key "/usr/local/etc/racoon/psk.conf"; remote 113.0.0.2 [500] { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; nonce_size 16; initial_contact on; proposal_check obey; # obey, strict, or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } remote 114.0.0.2 [500] { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; nonce_size 16; initial_contact on; proposal_check obey; # obey, strict, or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45EC2A3F.3040208>