Re: Flaw in ipsec.conf(5)?

Thu, 26 May 2016 00:50:55 -0700 

On Tue, May 24, 2016 at 10:53:16AM +0200, Bruno Flueckiger wrote:
> Hi,
> 
> I've tested IPsec connections in my lab. The setup looks like this:
> 
> [cli] <-- vlan10 --> [gw1] <----> [inet] <----> [gw2] <-- vlan20 --> [srv]
>                           ========IPsec=========
> 
> During the testing I think I've found a flaw in ipsec.conf(5). According
> to the man page the esp packets need to be passed on interface sk0:
> 
> block on sk0
> block on enc0
>  
> pass  in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \
>       port {500, 4500}
> pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \
>       port {500, 4500}
>  
> pass  in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
> pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2
>  
> My test setup didn't allow communication between [cli] and [srv]. Checking
> the reason on [gw1] using tcpdump -nettti pflog0 shows that esp packets
> are blocked by pf on enc0. So I included the interface enc0 in the pass
> rules for esp packets. After this the connections work as expected.
> 
> As a result of my tests I've created the diff below for ipsec.conf(5). Is
> this ok or did I miss something?
> 

i think you should provide more details of your setup first. for
example, ipsec.conf(5) shows pf rules for ipencap but you only provide a
small snippet of your pf.conf. no vlan details. none of your tcpdump
output that leads you to this conclusion. no routing details.

then keep your fingers crossed. i think most people run for the hills
when they see ipsec mail.

jmc

> Cheers,
> Bruno
> 
> Index: sbin/ipsecctl/ipsec.conf.5
> ===================================================================
> RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
> retrieving revision 1.151
> diff -u -p -r1.151 ipsec.conf.5
> --- sbin/ipsecctl/ipsec.conf.5        9 Dec 2015 21:41:50 -0000       1.151
> +++ sbin/ipsecctl/ipsec.conf.5        24 May 2016 08:24:49 -0000
> @@ -513,8 +513,8 @@ pass  in on sk0 proto udp from 192.168.3
>  pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \e
>       port {500, 4500}
>  
> -pass  in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
> -pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2
> +pass  in on {sk0 enc0} proto esp from 192.168.3.2 to 192.168.3.1
> +pass out on {sk0 enc0} proto esp from 192.168.3.1 to 192.168.3.2
>  
>  pass  in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e
>       keep state (if-bound)

Reply via email to