On Sat, 5 Nov 2011 12:00:33 +0000 (UTC),
freebsd-stable-request@freebsd.org
wrote:> Send freebsd-stable mailing list submissions to
> freebsd-stable@freebsd.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> or, via email, send a message with subject or body 'help' to
> freebsd-stable-request@freebsd.org
>
> You can reach the person managing the list at
> freebsd-stable-owner@freebsd.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of freebsd-stable digest..."
>
>
> Today's Topics:
>
> 1. Re: fbsd 8.2, L2TP over IPsec and pf ? (Kurt Jaeger)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 4 Nov 2011 14:18:56 +0100
> From: Kurt Jaeger <lists@c0mplx.org>
> Subject: Re: fbsd 8.2, L2TP over IPsec and pf ?
> To: freebsd-stable@freebsd.org
> Message-ID: <20111104131856.GD68080@home.opsec.eu>
> Content-Type: text/plain; charset=us-ascii
>
> Hi!
>
>> I'm building a setup for incoming L2TP over IPsec connections
>> using FreeBSD 8.2-REL.
>>
>> IPsec based on ports/security/ipsec-tools, the l2tp part
>> works from net/mpd5/.
>>
>> If I disable the PF rules, everything works.
>>
>> If I enable the PF rules, the IPsec connection still comes up,
>> but the L2TP requests are lost somewhere in the PF rules 8-(
>>
>> Interestingly, tcpdump enc0 does not see any encrypted packets (!)
>> as long as the PF rules are active.
>>
>> Any hits on the PF rules required to allow those packets in ?
I dont know the exect rules but you can try log all the outgoing and
incoming packets by rules
pass in quick log all
pass out quick log all
and then see what is going on by displaying logs on your console
tcpdump -n -e -ttt -i pflog0
finaly send packets threw firewall and see what to pass by adding apropriet
rule to your firewall
Usefoul hint use some other firewall like ipfw or ipf when you disable your
pf the same thing you should do when you pass all the packets by pf
> Turns out: ESP in/out was missing. set debug misc in the pf.conf
> is worth a lot 8-)
>
> Thanks for all help (by private mail).
>
> I'll try to document this setup on some webpage (but this will take
> 1-2 month due to other projects 8-(