[Bug 226411] PF does not properly keep state with GRE in IPSec
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Mar 13 01:05:56 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226411
--- Comment #2 from Eric Dombroski <eric at edombroski.com> ---
################# HOST 1 - ROUTER ###################################
root at fbsd12test1:~ # cat /etc/rc.conf
hostname="fbsd12test1"
ifconfig_vmx0="inet 10.10.10.1 netmask 255.255.255.0"
ifconfig_vmx1="inet 10.6.0.1 netmask 255.255.254.0" #lan is a /23
cloned_interfaces="gre0"
ifconfig_gre0="inet 10.1.0.1 10.1.0.2 netmask 255.255.255.252 tunnel 10.10.10.1
10.10.10.2 link0 up"
gateway_enable="YES"
pf_enable="YES"
pflog_enable="YES"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
strongswan_enable="YES"
root at fbsd12test1:~ # cat /etc/pf.conf
set block-policy drop
set loginterface egress
set skip on lo0
set skip on gre0 ### has no apparent effect? ###
#default block rules
block log all
# allow in from other host
pass in quick on vmx0 from 10.10.10.0/24
# allow all in from lan subnet
pass in quick from 10.6.0.0/23
# pass all output packets
pass out quick
root at fbsd12test1:~ # cat /usr/local/etc/ipsec.conf
config setup
uniqueids = yes
conn bypasslan
leftsubnet = 10.6.0.0/23
rightsubnet = 10.6.0.0/23
authby = never
type = passthrough
auto = route
conn con1
fragmentation = yes
keyexchange = ike
reauth = yes
forceencaps = no
mobike = no
rekey = yes
installpolicy = yes
type = transport
dpdaction = restart
dpddelay = 10s
dpdtimeout = 60s
auto = route
left = 10.10.10.1
right = 10.10.10.2
leftid = 10.10.10.1
ikelifetime = 28800s
lifetime = 3600s
ike = aes256-sha256-modp4096!
esp = aes256-sha256-modp4096!
leftauth = psk
rightauth = psk
rightid = 10.10.10.2
aggressive = no
rightsubnet = 10.10.10.2
leftsubnet = 10.10.10.1
root at fbsd12test1:~ # cat /usr/local/etc/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file
%any 10.10.10.2 : PSK "testingtestingtesting"
################# HOST 2 - CLIENT ###################################
root at fbsd12test2:~ # cat /etc/rc.conf
hostname="fbsd12test2"
ifconfig_vmx0="inet 10.10.10.2 netmask 255.255.255.0"
cloned_interfaces="gre0"
ifconfig_gre0="inet 10.1.0.2 10.1.0.1 netmask 255.255.255.252 tunnel 10.10.10.2
10.10.10.1 link0 up"
pf_enable="NO"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
strongswan_enable="YES"
root at fbsd12test2:~ # cat /usr/local/etc/ipsec.conf
config setup
uniqueids = yes
conn con1
fragmentation = yes
keyexchange = ike
reauth = yes
forceencaps = no
mobike = no
rekey = yes
installpolicy = yes
type = transport
dpdaction = restart
dpddelay = 10s
dpdtimeout = 60s
auto = route
left = 10.10.10.2
right = 10.10.10.1
leftid = 10.10.10.2
ikelifetime = 28800s
lifetime = 3600s
ike = aes256-sha256-modp4096!
esp = aes256-sha256-modp4096!
leftauth = psk
rightauth = psk
rightid = 10.10.10.1
aggressive = no
rightsubnet = 10.10.10.1
leftsubnet = 10.10.10.2
root at fbsd12test2:~ # cat /usr/local/etc/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file
%any 10.10.10.1 : PSK "testingtestingtesting"
root at fbsd12test2:~ # route add -net 10.6.0.0/23 10.1.0.2
Test tcp connection to host on 10.6.0.0/23 (for instance, 10.6.0.10). SYN
packet gets through to, ACK doesn't get back. Also, ICMP traffic let through
even if you remove the pass rules that let it go through.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-pf
mailing list