From owner-freebsd-net@FreeBSD.ORG Tue Aug 14 10:55:10 2007 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22EEE16A41B for ; Tue, 14 Aug 2007 10:55:10 +0000 (UTC) (envelope-from emss@free.fr) Received: from mallaury.nerim.net (mallaury.ipv6.nerim.net [IPv6:2001:7a8:1:5::82]) by mx1.freebsd.org (Postfix) with ESMTP id 8CCB213C461 for ; Tue, 14 Aug 2007 10:55:09 +0000 (UTC) (envelope-from emss@free.fr) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by mallaury.nerim.net (Postfix) with ESMTP id 3329C4F3F8; Tue, 14 Aug 2007 12:55:00 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by srvbsdnanssv.interne.kisoft-services.com (Postfix) with ESMTP id E8E5CD32E; Tue, 14 Aug 2007 12:55:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at interne.kisoft-services.com Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) by localhost (srvbsdnanssv.interne.kisoft-services.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jJj8n6A9RQbb; Tue, 14 Aug 2007 12:55:00 +0200 (CEST) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id CE854D036; Tue, 14 Aug 2007 12:54:59 +0200 (CEST) To: "Bjoern A. Zeeb" From: Eric Masson In-Reply-To: <20070814101809.Q87821@maildrop.int.zabbadoz.net> (Bjoern A. Zeeb's message of "Tue, 14 Aug 2007 10:18:46 +0000 (UTC)") References: <867inzn945.fsf@srvbsdnanssv.interne.kisoft-services.com> <20070813091634.C87821@maildrop.int.zabbadoz.net> <86k5ryjutw.fsf@srvbsdnanssv.interne.kisoft-services.com> <20070814101809.Q87821@maildrop.int.zabbadoz.net> X-Operating-System: FreeBSD 6.2-RELEASE-p7 i386 Date: Tue, 14 Aug 2007 12:54:59 +0200 Message-ID: <86fy2mjsho.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit Cc: Mailing List FreeBSD Network Subject: Re: pf rdr statement & ipsec processing interaction X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2007 10:55:10 -0000 "Bjoern A. Zeeb" writes: > ifconfig enc0 | grep UP > > if not, ifconfig enc0 up Ok, this is better as mpd4 receives l2tp packets, thanks :) emss@freebsd6:~> sudo /usr/local/sbin/mpd4 Multi-link PPP daemon for FreeBSD process 1586 started, version 4.2.2 (root@freebsd6 22:09 9-Aug-2007) CONSOLE: listening on 127.0.0.1 5005 [l2tp1] using interface ng1 [l2tp2] using interface ng2 [l2tp3] using interface ng3 [l2tp4] using interface ng4 [l2tp5] using interface ng5 L2TP: waiting for connection on 10.127.0.1 1701 Incoming L2TP packet from 192.168.1.105 1701 But from the dump on vxn0 interface, response packets are not passed to the ipsec layer (192.168.1.105 is the remote XP host) : emss@freebsd6:~> sudo tcpdump -n -i vxn0 not tcp port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vxn0, link-type EN10MB (Ethernet), capture size 96 bytes 12:43:50.408045 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 1 I ident 12:43:50.413619 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 1 R ident 12:43:50.472048 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 1 I ident 12:43:50.591613 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 1 R ident 12:43:50.863929 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 1 I ident[E] 12:43:50.939090 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 1 R ident[E] 12:43:50.943675 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I oakley-quick[E] 12:43:50.961028 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 2/others R oakley-quick[E] 12:43:50.977231 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I oakley-quick[E] 12:43:51.013177 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x1), length 140 12:43:51.064857 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |... 12:43:51.960621 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x2), length 140 12:43:51.962668 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB 12:43:52.020466 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |... 12:43:53.942587 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x3), length 140 12:43:53.943445 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB 12:43:53.943710 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |... 12:43:57.742123 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x4), length 140 12:43:57.745058 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB 12:43:57.789932 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |... 12:44:07.186961 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |... 12:44:07.208935 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x5), length 140 12:44:07.209418 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB 12:44:16.802284 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |... 12:44:16.849849 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x6), length 140 12:44:16.849860 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB 12:44:18.808989 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I inf[E] 12:44:18.821602 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I inf[E] 12:44:26.418196 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |... 12:44:36.033944 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |... I dont really understand here as the ipsec selectors are the following : emss@freebsd6:~> sudo /usr/local/sbin/setkey -DP 0.0.0.0/0[any] 192.168.1.231[1701] udp in ipsec esp/transport//require spid=1 seq=2 pid=2086 refcnt=1 192.168.1.105[1701] 192.168.1.231[1701] udp in ipsec esp/transport//require spid=6 seq=1 pid=2086 refcnt=1 192.168.1.231[1701] 192.168.1.105[1701] udp out ipsec esp/transport//require spid=7 seq=0 pid=2086 refcnt=1 So outgoing l2tp packets should be esp transformed, right ? Regards Éric Masson -- E> desole mais je n est pas trop l habitude des groupes de discutions Leçon n° 1 : on répond en haut et on vire le message auquel on répond Cette suppression facilite grandement la lecture !!! -+- DrN in : Le Neuneu par l'exemple -+-