Date: Tue, 19 Nov 2002 15:35:31 -0500 From: "Cambria, Mike" <mcambria@avaya.com> To: 'Archie Cobbs' <archie@dellroad.org>, Guido van Rooij <guido@gvr.org> Cc: David Kelly <dkelly@HiWAAY.net>, Scott Ullrich <sullrich@CRE8.COM>, "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, FreeBSD-stable@FreeBSD.ORG Subject: RE: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? Message-ID: <3A6D367EA1EFD4118C9B00A0C9DD99D7E4EF40@rerun.avayactc.com>
next in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Archie Cobbs [mailto:archie@dellroad.org] > > I think the bug is that in esp4_input() the "detunneled" packet > is placed back onto the IP input queue 'ipintrq' without the > 'm->m_pkthdr.rcvif' being updated to point to the gif interface. It the packet _always_ placed back on ipintrq? This thread helped me with a problem I had. Since moving from 4.6-Stable (cvsup'ed just after 4.6.2-Rel) to 4.-7 a day ago, I found out that I now need to put ipfw rules in for traffic leaving the IPsec tunnel (IPsec tunnel mode, not gif + IPIP tunnels for IPsec transport mode.) The rules work _except_ in one case. That being when the end of the tunnel is also the end of the encapsulated traffic. Specifically, when I telnet to the tunnel endpoint itself, and there is an IPsec SPD entry to match on telnet traffic from any port on the source machine to port 23 on the tunnel endpoint machine. If the packet always goes back onto the ip input queue, I can't see why this traffic doesn't make it while packets routed through the machine work. Thanks, MikeC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A6D367EA1EFD4118C9B00A0C9DD99D7E4EF40>