Re: ipsec/ipfilter interaction problem

To: Christoph Kaegi <kgc%zhwin.ch@localhost>
Subject: Re: ipsec/ipfilter interaction problem
From: Daniel Carosone <dan%geek.com.au@localhost>
Date: Fri, 26 Sep 2003 06:53:25 +1000

On Thu, Sep 25, 2003 at 08:38:50PM +0200, Christoph Kaegi wrote:
> 
> The docs on www.netbsd.org/Documentation/network/ipsec/#ipf-interaction
> say that ipf looks at packets BEFORE IPSEC processing on inbound traffic 
> and AFTER IPSEC processing on outbound traffic.

Yes.

> But suddenly, (after some amount of time or bytes) when I try to
> ssh from one to the other machine or when trying to send mail,
> the SYN-ACK reply of the responding machine gets blocked by its
> ipfilter:
>    
> -------------------------------------- 8< 
> --------------------------------------
> Sep 25 20:13:45 hostb ipmon[102]: 20:13:44.159219 fxp1 @0:18 b 1.2.3.4,22 -> 
> 5.6.7.8,52161 PR tcp len 20 60 -AS 861376014 1945689524 16384 OUT 
> -------------------------------------- 8< 
> --------------------------------------
> 
> This means, ipf blocks the packet, before it is IPSEC processed.

Or it means the packet wasn't IPSEC processed, did the SA die?

> Running /etc/rc.d/ipsec reload on that machines cures the problem.

Ahuh, so perhaps the SA did die.

You shouldn't need/have the "0.0.0.0 none" entries, but that in
itself won't make the SA go away.

--
Dan.

Follow-Ups:
- Re: ipsec/ipfilter interaction problem
  - From: Christoph Kaegi

References:
- ipsec/ipfilter interaction problem
  - From: Christoph Kaegi

Prev by Date: ipsec/ipfilter interaction problem
Next by Date: Re: ipsec/ipfilter interaction problem
Previous by Thread: ipsec/ipfilter interaction problem
Next by Thread: Re: ipsec/ipfilter interaction problem
Indexes:

Home | Main Index | Thread Index | Old Index