pf rdr statement & ipsec processing interaction
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Mon Aug 13 09:20:07 UTC 2007
On Mon, 13 Aug 2007, Eric Masson wrote:
> Hello,
>
> I'm trying to setup a FreeBSD 6.2 box as l2tp/ipsec server for MS
> workstations (FAST_IPSEC + Yvan's NAT-T patch)
>
> Thanks to mpd4, the l2tp part works fine, as the box could in fine have
> only a dynamic ip address, I've made mpd listen on a loopback interface
> on the box and then redirected incoming l2tp traffic to this loopback
> interface :
>
> $ ifconfig lo1
> lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet 10.127.0.1 netmask 0xff000000
>
> $ cat /usr/local/etc/mpd4/mpd.links
> l2tp1:
> set link type l2tp
> set l2tp self 10.127.0.1
> set l2tp enable incoming
> set l2tp disable originate
>
> $ cat /etc/pf.conf
> ext_if="vxn0"
> rdr on $ext_if proto udp from any to ($ext_if) port 1701 -> 10.127.0.1 port 1701
>
> If ipsec isn't enabled (no spd & no racoon running on the freebsd side,
> ipsec disabled on the xp box), this setup works fine.
>
> If ipsec is enabled on the box and on the xp box, phase I & phase II
> succeed but mpd4 doesn't get any l2tp packet.
>
> If I setup mpd4 to listen on the external interface address and disable
> pf rdr rule, everything works fine (ipsec enabled or disabled)
>
>> From this, it seems that pf rdr rule isn't applied to the incoming l2tp
> packets once they've been ipsec processed.
>
> Is this an expected behaviour or a bug ?
this is expected behavior. You want to read about the
IPSEC_FILTERTUNNEL (fka. IPSEC_FILTERGIF) kernel option and
enc(4).
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Software is harder than hardware so better get it right the first time.
More information about the freebsd-net
mailing list