Hi! After switching from OpenBSD 3.1 (with Intel fxp0) to OpenBSD 3.5 (with Intel em0) I experienced some problems with pf. I have a user who is unable to send any data through his VPN-tunnel, the VPN tunnel is a setup with two Cisco routers in each end. When I activate pf in OpenBSD 3.5 the tunnel stops working, I don't need set any rules just activeting pf breaks the tunnel. I don't use any fancy things as bridgeing.
I can see the packets comeing in on the external interface (em0) but not comeing out on the interface (em1). The Cisco routers says that the initializing of the tunnel works but when I try to send traffic such as a ping throu it it doesn't work. I have seen some udp packets that tcpdump says has a bad checksum and I have tried to disable the udp checksum check in the kernel with no result. Everything works if I just disable pf but that is not an option because I need it to filter some traffic in the OpenBSD router. Any ideas of what causes this? is it a known problem in pf? tcpdump showed this: em0 (external) 16:32:00.979597 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 5 len 92 (ttl 55, id 65061) 16:32:02.981938 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 6 len 92 (ttl 55, id 65123) 16:32:15.000655 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 7 len 92 (ttl 55, id 65198) 16:32:17.003504 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 8 len 92 (ttl 55, id 65288) 16:32:19.006354 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 9 len 92 (ttl 55, id 65295) 16:32:31.123895 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 10 len 92 (ttl 55, id 65332) 16:32:33.124867 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 11 len 92 (ttl 55, id 65334) 16:32:35.128727 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 12 len 92 (ttl 55, id 65336) 16:32:47.146187 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 13 len 92 (ttl 55, id 65355) 16:32:49.151663 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 14 len 92 (ttl 55, id 65409) 16:32:51.152257 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 15 len 92 (ttl 55, id 65461) 16:33:03.169853 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 16 len 92 (ttl 55, id 74) 16:33:05.172449 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 17 len 92 (ttl 55, id 95) 16:33:07.175801 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 18 len 92 (ttl 55, id 100) 16:33:19.191767 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 19 len 92 (ttl 55, id 181) 16:33:21.193354 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 20 len 92 (ttl 55, id 287) 16:33:23.196597 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 21 len 92 (ttl 55, id 443) em1 (internal) 16:32:00.979674 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 5 len 92 (ttl 54, id 65061) 16:32:00.984909 222.222.222.222.16384 > 111.111.111.111.4500: udpencap: esp 222.222.222.222 > 111.111.111.111 spi 0x0C9FD07B seq 17 len 92 (ttl 63, id 24594) 16:32:01.148453 222.222.222.222.16384 > 111.111.111.111.4500: [bad udp cksum 1eef!] [|udpencap] (ttl 127, id 34044) 16:32:02.981959 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 6 len 92 (ttl 54, id 65123) 16:32:02.987129 222.222.222.222.16384 > 111.111.111.111.4500: udpencap: esp 222.222.222.222 > 111.111.111.111 spi 0x0C9FD07B seq 18 len 92 (ttl 63, id 24595) 16:32:10.148887 222.222.222.222.16384 > 111.111.111.111.4500: [bad udp cksum 1eef!] [|udpencap] (ttl 127, id 34045) 16:32:15.000679 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 7 len 92 (ttl 54, id 65198) 16:32:15.005818 222.222.222.222.16384 > 111.111.111.111.4500: udpencap: esp 222.222.222.222 > 111.111.111.111 spi 0x0C9FD07B seq 19 len 92 (ttl 63, id 24596) 16:32:17.003525 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 8 len 92 (ttl 54, id 65288) 16:32:17.008754 222.222.222.222.16384 > 111.111.111.111.4500: udpencap: esp 222.222.222.222 > 111.111.111.111 spi 0x0C9FD07B seq 20 len 92 (ttl 63, id 24597) 16:32:19.006373 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 9 len 92 (ttl 54, id 65295) 16:32:19.011512 222.222.222.222.16384 > 111.111.111.111.4500: udpencap: esp 222.222.222.222 > 111.111.111.111 spi 0x0C9FD07B seq 21 len 92 (ttl 63, id 24598) 16:32:19.149182 222.222.222.222.16384 > 111.111.111.111.4500: [bad udp cksum 1eef!] [|udpencap] (ttl 127, id 34046) 16:32:28.149623 222.222.222.222.16384 > 111.111.111.111.4500: [bad udp cksum 1eef!] [|udpencap] (ttl 127, id 34047) 16:32:31.123941 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 10 len 92 (ttl 54, id 65332) 16:32:31.129137 222.222.222.222.16384 > 111.111.111.111.4500: udpencap: esp 222.222.222.222 > 111.111.111.111 spi 0x0C9FD07B seq 22 len 92 (ttl 63, id 24599) 16:32:33.124888 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 11 len 92 (ttl 54, id 65334) 16:32:33.130119 222.222.222.222.16384 > 111.111.111.111.4500: udpencap: esp 222.222.222.222 > 111.111.111.111 spi 0x0C9FD07B seq 23 len 92 (ttl 63, id 24600) 16:32:35.128748 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 12 len 92 (ttl 54, id 65336) 16:32:35.133963 222.222.222.222.16384 > 111.111.111.111.4500: udpencap: esp 222.222.222.222 > 111.111.111.111 spi 0x0C9FD07B seq 24 len 92 (ttl 63, id 24601) 16:32:37.150052 222.222.222.222.16384 > 111.111.111.111.4500: [bad udp cksum 1eef!] [|udpencap] (ttl 127, id 34048) 16:32:46.150482 222.222.222.222.16384 > 111.111.111.111.4500: [bad udp cksum 1eef!] [|udpencap] (ttl 127, id 34049) 16:32:47.146229 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 13 len 92 (ttl 54, id 65355) 16:32:47.151405 222.222.222.222.16384 > 111.111.111.111.4500: udpencap: esp 222.222.222.222 > 111.111.111.111 spi 0x0C9FD07B seq 25 len 92 (ttl 63, id 24602) 16:32:49.151724 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 14 len 92 (ttl 54, id 65409) 16:32:49.157123 222.222.222.222.16384 > 111.111.111.111.4500: udpencap: esp 222.222.222.222 > 111.111.111.111 spi 0x0C9FD07B seq 26 len 92 (ttl 63, id 24603) 16:32:51.152277 111.111.111.111.4500 > 222.222.222.222.16384: [no cksum] udpencap: esp 111.111.111.111 > 222.222.222.222 spi 0x71E8A8E7 seq 15 len 92 (ttl 54, id 65461) 16:32:51.157469 222.222.222.222.16384 > 111.111.111.111.4500: udpencap: esp 222.222.222.222 > 111.111.111.111 spi 0x0C9FD07B seq 27 len 92 (ttl 63, id 24604) regards, Claes Leufven
