[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf does not pass esp?

To: misc@openbsd.org
Subject: pf does not pass esp?
From: Rickard Borgmäster <doktorn@realworld.nu>
Date: Wed, 20 Mar 2002 23:21:34 +0100

I've read it here, several times. PF on -stables cannot pass esp packets,
while -current can.

Somehow, I've must have misunderstood completely, because it works for me:
# tcpdump -e -v -i pflog0 host 130.236.218.63

21:39:39.342681 rule 31/0(match): pass in on xl1: esp rb-home-fw >
proxyfw-ext spi 0x6A8F4C90 seq 386 len 92 (ttl 54, id 3518)

The PF rule that allows this is like:
pass in on log $ext_if proto esp from 130.236.218.63/32 to $ext_ip

So, how come this works for me, but not for others?
This is a misunderstanding, right?

So exactly what is the bug in PF that messes IPSec up, that ppl here are
talking about?-- 

Rickard

                                               .--.        .--.
.----------------------------------------.     |  |        |  | .-.
|           Rickard Borgmäster           |     |  |        |  |/  /
|             doktorn@sub.nu             |   .-^  |  .--.  |     <
|         http://doktorn.sub.nu/         |  (  o  | ( () ) |  |\  \
`----------------------------------------'  `-----'  `--'  `--' `--'

Follow-Ups:
- Re: pf does not pass esp?
  - From: Jason Ish <jason@codemonkey.net>

Prev by Date: Re: about su
Next by Date: Need some guidance using the 3.0.tar.gz patch
Prev by thread: Re: Study of pf macro expansion, was More problems with pf
Next by thread: Re: pf does not pass esp?
Index(es):
- Date
- Thread