Hi misc, I'm experiencing interaction problems between PF and the enc0 interface. I've been reading several OpenBSD manual pages about how IPSec traffic filtering is supposed to work, but so far I'm unable to get IPSec filtering working for me.
I have created an IPSec/IPv6-based VPN between two sites, one in Madrid and another in ZC<rich. Each side of the tunnel connects to the IPv6 internet using AICCU via a SixXS POP. This means that each VPN end-point has a tun0 interface where all IPv6 traffic is received and sent (I'm using dynamic AYITA tunnels). The funny thing is that the enc0 interface on both end points sees the IPv6 traffic before and after IPSec encryption and encapsulation but PF seems to disagree and any filtering done on enc0 is completely ignored. To test my assumption, I created this very simple PF configuration file, with just two rules: pass in on enc0 no state pass out on enc0 no state The first thing I did not understand is that I have to use two different rules for in/out. Otherwise, pftop will display "I" in the direction column for this state, which leads me to think PF is only allowing inbound traffic. But I might be wrong. Next, from the C host, I run: # ping6 -c1 D::1 in order to send some traffic across the VPN. At the same time, I run tcpdump on enc0 and this what I see: # tcpdump -n -i enc0 -s 1800 -v 14:15:19.769555 (authentic,confidential): SPI 0x27151066: A::2 > B::2: C::1 > D::1: icmp6: echo request (len 16, hlim 63) (len 56, hlim 64) # Tunneled ICMPv6 Echo request from C::1 to D::1 (from A::2 to B::2). 14:15:19.769682 (authentic,confidential): SPI 0xef18f14a: esp A::2 > B::2 spi 0x27151066 seq 30 len 100 (len 100, hlim 64) # ESP - encapsulated ICMPv6 Echo Request from C::1 to D::1. 14:15:19.913539 (authentic,confidential): SPI 0xcefeac0c: truncated-ip6 - 48 bytes missing!esp B::2 > A::2 spi 0xF2FC992F seq 30 len 148 (len 148, hlim 63) # ESP - encapsulated ICMPv6 Echo Reply from D::1 to C::1. 14:15:19.913620 (authentic,confidential): SPI 0xf2fc992f: truncated-ip6 - 92 bytes missing!B::2 > A: D::1 > C::1: icmp6: echo reply (len 16, hlim 63) (len 148, hlim 63) # Tunneled ICMPv6 Echo Reply from D::1 to C::1 (from B::2 to A::2). The second thing that strikes me is the "XX bytes missing" that tcpdump is reporting. Is this normal? Take into account that the snaplen that I used when running tcpdump is larger than the MTU of enc0. Everything else looks fine to me. The third thing that confuses me complete is that pftop does not display any hits on both PF rules. So does pfctl: # pfctl -s rules -v pass in on enc0 all no state [ Evaluations: 141 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 26751 ] pass out on enc0 all no state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 26751 ] Do you have any idea what's going on? Thanks in advance. -- http://www.felipe-alfaro.org/blog/disclaimer/
