2008/10/31 Felipe Alfaro Solana <felipe.alf...@gmail.com>: > Hi misc, > > I'm experiencing interaction problems between PF and the enc0 > interface. I've been reading several OpenBSD manual pages about how > IPSec traffic filtering is supposed to work, but so far I'm unable to > get IPSec filtering working for me. > > I have created an IPSec/IPv6-based VPN between two sites, one in > Madrid and another in ZC<rich. Each side of the tunnel connects to the > IPv6 internet using AICCU via a SixXS POP. This means that each VPN > end-point has a tun0 interface where all IPv6 traffic is received and > sent (I'm using dynamic AYITA tunnels). The funny thing is that the > enc0 interface on both end points sees the IPv6 traffic before and > after IPSec encryption and encapsulation but PF seems to disagree and > any filtering done on enc0 is completely ignored. > > To test my assumption, I created this very simple PF configuration > file, with just two rules: > > pass in on enc0 no state > pass out on enc0 no state > > The first thing I did not understand is that I have to use two > different rules for in/out. Otherwise, pftop will display "I" in the > direction column for this state, which leads me to think PF is only > allowing inbound traffic. But I might be wrong. > > Next, from the C host, I run: > > # ping6 -c1 D::1 > > in order to send some traffic across the VPN. At the same time, I run > tcpdump on enc0 and this what I see: > > # tcpdump -n -i enc0 -s 1800 -v
[...] Interesting, I've never tried applying tcpdump to the enc0 interface. To debug I always add the 'log' keyword to every line in pf.conf and then apply tcpdump to the pflog0 interface. [...] 14:15:19.913539 (authentic,confidential): SPI 0xcefeac0c: truncated-ip6 - 48 bytes missing!esp B::2 > A::2 spi 0xF2FC992F seq 30 len 148 (len 148, hlim 63) # ESP - encapsulated ICMPv6 Echo Reply from D::1 to C::1. [...] The 'bytes missing' might be due to the fact that headers are being stripped off. -- jm
