Hello, I'm building a setup for incoming L2TP over IPsec connections using FreeBSD 8.2-REL. IPsec based on ports/security/ipsec-tools, the l2tp part works from net/mpd5/. If I disable the PF rules, everything works. If I enable the PF rules, the IPsec connection still comes up, but the L2TP requests are lost somewhere in the PF rules 8-( Interestingly, tcpdump enc0 does not see any encrypted packets (!) as long as the PF rules are active. Any hints on the PF rules required to allow those packets in ? Thanks! -- pi@opsec.eu +49 171 3101372 9 years to go !
On Thu, 3 Nov 2011, Kurt Jaeger wrote:> Hello, > > I'm building a setup for incoming L2TP over IPsec connections > using FreeBSD 8.2-REL.I assume you are explicitly using tunnel mode?> IPsec based on ports/security/ipsec-tools, the l2tp part > works from net/mpd5/. > > If I disable the PF rules, everything works. > > If I enable the PF rules, the IPsec connection still comes up, > but the L2TP requests are lost somewhere in the PF rules 8-( > > Interestingly, tcpdump enc0 does not see any encrypted packets (!) > as long as the PF rules are active.tried playing with the sysctls of enc(4)? net.enc.in.ipsec_bpf_mask=0x00000003 net.enc.in.ipsec_filter_mask=0x00000003> Any hints on the PF rules required to allow those packets in ?need more details (if you want also off-list). -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family.
Hi!> I'm building a setup for incoming L2TP over IPsec connections > using FreeBSD 8.2-REL. > > IPsec based on ports/security/ipsec-tools, the l2tp part > works from net/mpd5/. > > If I disable the PF rules, everything works. > > If I enable the PF rules, the IPsec connection still comes up, > but the L2TP requests are lost somewhere in the PF rules 8-( > > Interestingly, tcpdump enc0 does not see any encrypted packets (!) > as long as the PF rules are active. > > Any hints on the PF rules required to allow those packets in ?Turns out: ESP in/out was missing. set debug misc in the pf.conf is worth a lot 8-) Thanks for all help (by private mail). I'll try to document this setup on some webpage (but this will take 1-2 month due to other projects 8-( -- pi@opsec.eu +49 171 3101372 9 years to go !