Discussion:
pf rdr statement & ipsec processing interaction
Eric Masson
2007-08-13 08:15:22 UTC
Permalink
Hello,

I'm trying to setup a FreeBSD 6.2 box as l2tp/ipsec server for MS
workstations (FAST_IPSEC + Yvan's NAT-T patch)

Thanks to mpd4, the l2tp part works fine, as the box could in fine have
only a dynamic ip address, I've made mpd listen on a loopback interface
on the box and then redirected incoming l2tp traffic to this loopback
interface :

$ ifconfig lo1
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 10.127.0.1 netmask 0xff000000

$ cat /usr/local/etc/mpd4/mpd.links
l2tp1:
set link type l2tp
set l2tp self 10.127.0.1
set l2tp enable incoming
set l2tp disable originate

$ cat /etc/pf.conf
ext_if="vxn0"
rdr on $ext_if proto udp from any to ($ext_if) port 1701 -> 10.127.0.1 port 1701

If ipsec isn't enabled (no spd & no racoon running on the freebsd side,
ipsec disabled on the xp box), this setup works fine.

If ipsec is enabled on the box and on the xp box, phase I & phase II
succeed but mpd4 doesn't get any l2tp packet.

If I setup mpd4 to listen on the external interface address and disable
pf rdr rule, everything works fine (ipsec enabled or disabled)
From this, it seems that pf rdr rule isn't applied to the incoming l2tp
packets once they've been ipsec processed.

Is this an expected behaviour or a bug ?

TIA

Regards

Éric Masson
--
tenir à bout de bras un câble ethernet qui traverse une salle de restau
pour pas qu'il tombe dans les tiramisu, pendant que d'autres parlent en
infrarouge, c'est bien la vraie vie, n'est-ce pas ?
-+- DA in Guide du Macounet Pervers : http://www.le-visconti.net/ -+-
Bjoern A. Zeeb
2007-08-13 09:17:33 UTC
Permalink
Post by Eric Masson
Hello,
I'm trying to setup a FreeBSD 6.2 box as l2tp/ipsec server for MS
workstations (FAST_IPSEC + Yvan's NAT-T patch)
Thanks to mpd4, the l2tp part works fine, as the box could in fine have
only a dynamic ip address, I've made mpd listen on a loopback interface
on the box and then redirected incoming l2tp traffic to this loopback
$ ifconfig lo1
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 10.127.0.1 netmask 0xff000000
$ cat /usr/local/etc/mpd4/mpd.links
set link type l2tp
set l2tp self 10.127.0.1
set l2tp enable incoming
set l2tp disable originate
$ cat /etc/pf.conf
ext_if="vxn0"
rdr on $ext_if proto udp from any to ($ext_if) port 1701 -> 10.127.0.1 port 1701
If ipsec isn't enabled (no spd & no racoon running on the freebsd side,
ipsec disabled on the xp box), this setup works fine.
If ipsec is enabled on the box and on the xp box, phase I & phase II
succeed but mpd4 doesn't get any l2tp packet.
If I setup mpd4 to listen on the external interface address and disable
pf rdr rule, everything works fine (ipsec enabled or disabled)
From this, it seems that pf rdr rule isn't applied to the incoming l2tp
packets once they've been ipsec processed.
Is this an expected behaviour or a bug ?
this is expected behavior. You want to read about the
IPSEC_FILTERTUNNEL (fka. IPSEC_FILTERGIF) kernel option and
enc(4).
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Software is harder than hardware so better get it right the first time.
Eric Masson
2007-08-13 09:39:43 UTC
Permalink
"Bjoern A. Zeeb" <bzeeb-***@lists.zabbadoz.net> writes:

Hi Bjoern,
Post by Bjoern A. Zeeb
this is expected behavior.
Fine,
Post by Bjoern A. Zeeb
You want to read about the IPSEC_FILTERTUNNEL (fka. IPSEC_FILTERGIF)
kernel option and enc(4).
Ok, thanks for your help

Regards

Éric Masson
--
DP>à partir de quand n'est-on plus un neuneu? est-ce que ça se soigne?
C'est une variété de maladie infantile la réponse est donc oui. La
réponse à la question est-ce que ça se guérit est ; pas toujours.
-+- JdC in : Guide du Neuneu Usenetien - La maladie infantile -+-
Eric Masson
2007-08-14 10:04:27 UTC
Permalink
"Bjoern A. Zeeb" <bzeeb-***@lists.zabbadoz.net> writes:

Hello Bjoern & all,
Post by Bjoern A. Zeeb
this is expected behavior. You want to read about the
IPSEC_FILTERTUNNEL (fka. IPSEC_FILTERGIF) kernel option and
enc(4).
I've compiled a new kernel with IPSEC_FILTERGIF, tcpdump now can see
unencrypted L2TP packets on external interfaces but rdr rule doesn't
have any effect.

Just to be sure, I added "device enc" to the kernel configuration and
changed the rdr rule to :
rdr on enc0 proto udp from any to ($ext_if) port 1701 -> 10.127.0.1 port 1701

But no success atm. Any idea ?

Regards

Éric Masson
--
FYLG> Tiens, vlà une URL qui va bien :
FYLG> ftp://127.0.0.1/WaReZ/NiouZeS/WinDoZe/NeWSMoNGeR/SuPeR
c'est gentil sauf que l'adresse ne fonctionne pas sa me fais une erreur
-+- Furtif in Guide du Neuneu Usenet : <MODE CERVEAU OFF> -+-
Bjoern A. Zeeb
2007-08-14 10:18:46 UTC
Permalink
Post by Eric Masson
Hello Bjoern & all,
Post by Bjoern A. Zeeb
this is expected behavior. You want to read about the
IPSEC_FILTERTUNNEL (fka. IPSEC_FILTERGIF) kernel option and
enc(4).
I've compiled a new kernel with IPSEC_FILTERGIF, tcpdump now can see
unencrypted L2TP packets on external interfaces but rdr rule doesn't
have any effect.
Just to be sure, I added "device enc" to the kernel configuration and
rdr on enc0 proto udp from any to ($ext_if) port 1701 -> 10.127.0.1 port 1701
But no success atm. Any idea ?
ifconfig enc0 | grep UP

if not, ifconfig enc0 up
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Software is harder than hardware so better get it right the first time.
Eric Masson
2007-08-14 10:54:59 UTC
Permalink
Post by Bjoern A. Zeeb
ifconfig enc0 | grep UP
if not, ifconfig enc0 up
Ok, this is better as mpd4 receives l2tp packets, thanks :)

***@freebsd6:~> sudo /usr/local/sbin/mpd4
Multi-link PPP daemon for FreeBSD
process 1586 started, version 4.2.2 (***@freebsd6 22:09 9-Aug-2007)
CONSOLE: listening on 127.0.0.1 5005
[l2tp1] using interface ng1
[l2tp2] using interface ng2
[l2tp3] using interface ng3
[l2tp4] using interface ng4
[l2tp5] using interface ng5
L2TP: waiting for connection on 10.127.0.1 1701
Incoming L2TP packet from 192.168.1.105 1701

But from the dump on vxn0 interface, response packets are not passed to
the ipsec layer (192.168.1.105 is the remote XP host) :

***@freebsd6:~> sudo tcpdump -n -i vxn0 not tcp port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vxn0, link-type EN10MB (Ethernet), capture size 96 bytes
12:43:50.408045 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 1 I ident
12:43:50.413619 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 1 R ident
12:43:50.472048 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 1 I ident
12:43:50.591613 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 1 R ident
12:43:50.863929 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 1 I ident[E]
12:43:50.939090 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 1 R ident[E]
12:43:50.943675 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I oakley-quick[E]
12:43:50.961028 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 2/others R oakley-quick[E]
12:43:50.977231 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I oakley-quick[E]
12:43:51.013177 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x1), length 140
12:43:51.064857 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:43:51.960621 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x2), length 140
12:43:51.962668 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB
12:43:52.020466 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:43:53.942587 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x3), length 140
12:43:53.943445 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB
12:43:53.943710 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:43:57.742123 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x4), length 140
12:43:57.745058 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB
12:43:57.789932 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:44:07.186961 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:44:07.208935 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x5), length 140
12:44:07.209418 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB
12:44:16.802284 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:44:16.849849 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x6), length 140
12:44:16.849860 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB
12:44:18.808989 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I inf[E]
12:44:18.821602 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I inf[E]
12:44:26.418196 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...
12:44:36.033944 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |...

I dont really understand here as the ipsec selectors are the following :

***@freebsd6:~> sudo /usr/local/sbin/setkey -DP
0.0.0.0/0[any] 192.168.1.231[1701] udp
in ipsec
esp/transport//require
spid=1 seq=2 pid=2086
refcnt=1
192.168.1.105[1701] 192.168.1.231[1701] udp
in ipsec
esp/transport//require
spid=6 seq=1 pid=2086
refcnt=1
192.168.1.231[1701] 192.168.1.105[1701] udp
out ipsec
esp/transport//require
spid=7 seq=0 pid=2086
refcnt=1

So outgoing l2tp packets should be esp transformed, right ?

Regards

Éric Masson
--
E> desole mais je n est pas trop l habitude des groupes de discutions
Leçon n° 1 : on répond en haut et on vire le message auquel on répond
Cette suppression facilite grandement la lecture !!!
-+- DrN in <http://www.le-gnu.net> : Le Neuneu par l'exemple -+-
Eric Masson
2007-08-18 11:58:43 UTC
Permalink
Eric Masson <***@free.fr> writes:

Hello,
Post by Eric Masson
So outgoing l2tp packets should be esp transformed, right ?
I've been able to reproduce the problem on a -current box (sources from
yesterday), should I file a PR ?

Regards

Éric Masson
--
C'est vrai peut t'on renconter quelqu'un sur internet?
Car moi je cherche l'ame soeur
-+- SR in: <http://www.le-gnu.net> - Neuneu a-t-il une âme ? -+-
Loading...