Summary: | enc(1): enc0 not capturing outgoing IPSEC encrypted transport IPv6 traffic from host | ||
---|---|---|---|
Product: | Base System | Reporter: | Matthew Grant <matthew.grant> |
Component: | bin | Assignee: | freebsd-ipfw (Nobody) <ipfw> |
Status: | Closed Overcome By Events | ||
Severity: | Affects Only Me | CC: | hiren |
Priority: | Normal | ||
Version: | Unspecified | ||
Hardware: | Any | ||
OS: | Any |
Description
Matthew Grant
2011-09-27 05:00:16 UTC
Hi! Bug stops outing stateful connection tracking over IPSEC to happen as per IPv4 (IPFW): IPv6 outgoing traffic is only matched as esp, and the packet does not appear as per IPv4 as a TCP SYN outgoing on enc0. IPv4: cmd="ipfw add" pif="em0" p6if="gif0" $cmd 00100 allow udp from 203.79.116.183 500 to me 500 in via $pif $cmd 00101 allow udp from me 500 to 203.79.116.183 500 out via $pif $cmd 00120 allow esp from me to 203.79.116.183 out via $pif $cmd 00121 allow esp from 203.79.116.183 to me in via $pif $cmd 00190 check-state ipsec $cmd 00200 allow udp from 203.79.116.183 to me 53 in ipsec via $pif keep-state $cmd 00210 allow tcp from 203.79.116.183 to me 53 in ipsec via $pif keep-state $cmd 00220 allow ip4 from me to 203.79.116.183 out keep-state $cmd 00290 deny log ip from 203.79.116.183 to me in via $pif $cmd 00291 deny log ip from me to 203.79.116.183 out via $pif IPv4: $cmd 10100 allow udp from 2001:470:f012:2::2 500 to me6 500 in via $p6if $cmd 10101 allow udp from me6 500 to 2001:470:f012:2::2 500 out via $p6if $cmd 10120 allow esp from me6 to 2001:470:f012:2::2 out via $p6if $cmd 10121 allow esp from 2001:470:f012:2::2 to me6 in via $p6if $cmd 10180 check-state $cmd 10200 allow udp from 2001:470:f012:2::2 to me6 53 in ipsec via $p6if keep-state $cmd 10210 allow tcp from 2001:470:f012:2::2 to me6 53 in ipsec via $p6if keep-state $cmd 10220 allow ip6 from me6 to 2001:470:f012:2::2 out keep-state $cmd 10290 deny log ip from 2001:470:f012:2::2 to me6 in via $p6if $cmd 10291 deny log ip from me6 to 2001:470:f012:2::2 out via $p6if # Internet name server access $cmd 10300 allow udp from any to me6 53 in via $p6if $cmd 10301 allow udp from me6 53 to any out via $p6if $cmd 10302 allow tcp from any to me6 53 in via $p6if $cmd 10303 allow tcp from me6 53 to any out via $p6if Much has changed in this area in 6 years. Can you please try and see if this problem still exists and reopen the bug if it does? |