On Wed, Apr 16, 2008 at 01:04:39PM +0300, Roman Otsaljuk wrote:
> Norman Maurer ?????:
> > Am Mittwoch, den 16.04.2008, 12:02 +0300 schrieb Roman Otsaljuk:
> >   
> >> hi all.
> >> i have two localnets linked over ipsec:
> >>
> >> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
> >>
> >> network schema:
> >>
> >> 192.168.0.0/24 <---> [192.168.0.12=freebsd=2.2.2.2]  <--inet-->
> >> [1.1.1.1=freebsd1=10.31.0.5] <---->10.31.0.5/26
> >>
> >> on both points was 6.2, firewall - pf.
> >> after updating to 7.0 vpn doesn't work:
> >>  0) pings go normal
> >>  0) tcp packets go too, but third packet with R flag:
> >>    from 192.168.0.12 try: ssh 10.31.0.42, on second console:
> >> mail# tcpdump -ni gif0
> >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> >> listening on gif0, link-type NULL (BSD loopback), capture size 68 bytes
> >> 10:49:43.912469 IP 192.168.0.12.63996 > 10.31.0.42.22: S 
> >> 1756351354:1756351354(0) win 65535 <mss 1240,nop,wscale 3,sackOK,timestamp 
> >> 51087105 0>
> >> 10:49:43.936245 IP 217.20.174.35 > 195.43.43.238: IP 10.31.0.42.22 > 
> >> 192.168.0.12.63996: S 4244314344:4244314344(0) ack 1756351355 win 65535 
> >> <mss 1460,[|tcp]> (ipip-proto-4)
> >> 10:49:43.936360 IP 192.168.0.12.63996 > 10.31.0.42.22: R 
> >> 1318200353:1318200353(0) win 0
> >>
> >>  0) adding the first rule (pass quick all) on both - without changes;
> >>  0) downing pf: in localnet, in wich pf downed - all good.
> >>
> >>
> >> any ideas?
> >>
> >>
> >> p.s. the same if IPsec replaced by vpnd--------
> >> sorry my bad English
> >>     
> >
> > Freebsd 7.0 use the "new" ipsec implementation (IPSEC_FAST) so you need
> > to allow ipencap protocol too..
> >
> > Cheers
> > Norman
> >
> >
> >
> >   
> 
> is not rule "pass quick all" allows ipencap?
 
Try specifying it specifically.  I seem to recall that only certain
protocols are passed unless specificially specified, though I can't
find documentation on that.

Erik

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to