[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf does not pass esp?
On Thu, Mar 21, 2002 at 08:27:58PM +0100, Rickard Borgmäster wrote:
> On Thu, 21 Mar 2002 10:41:49 -0800
> Jason Ish <jason@codemonkey.net> hit the keyboard and punched:
>
> > All IPsec traffic passes over enc0. If you up enc0 then you can dump on
> > it and see your encrypted traffic.
>
> Ok, had no clue. How can I bring enc0 up on boot? Maybe just:
> # touch /etc/hostname.enc0
You don't need to bring it up to nat on it.
> I have a custom kernel, but I do have enc0. It just wasn't up.
> Anyways, added a nat rule like that, and what do you know, it
> works. Almost. Now the connection is 50% encrypted :-/
>
> tcpdumping on enc0 gives:
> 20:23:13.246779 (authentic,confidential): SPI 0x1f644dae:
> 130.236.218.63.1747 > 213.88.128.171.1494: . ack 1681 win 33304
> <nop,nop,timestamp 6070771 6142364> (DF) (encap)
>
> while tcpdumping on xl1 gives:
> 20:23:13.809282 0:10:4b:cf:1f:e0 0:c0:7b:a3:71:b6 0800 66:
> 213.88.128.171.1494 > 130.236.218.63.1747: . ack 16099 win 16122
> <nop,nop,timestamp 6142370 6070827> (DF)
>
> Seems as the return traffic wont go through the tunnel :-/
Add an outbound flow for your private network..
eg)
ipsecadm flow -proto esp -src <your ip> -dst <remote endpoint ip> \
-addr <private net>/<mask> <remote net>/<mask> -out \
{-dontacq/-require/whatever}
The tunnel will then pick up the traffic, then NAT it, then encrypt it.