Helmut Schneider wrote:
> Dec 15 13:34:22.649843 rule 11/(match) block in on bge0: $SERVER >
> $CLIENT: frag (0|1448) 500 > 500: isakmp v1.0 exchange ID_PROT
> encrypted
> cookie: 583b9e29ae2a701f->f2257c7575eb8336 msgid: 00000000
> len: 1596
> Dec 15 13:34:22.649854 rule 11/(match) block in on bge0: $SERVER >
> $CLIENT: frag (1448|156)
[...]
> Dec 15 13:34:23.640235 rule 11/(match) block in on bge0: $SERVER >
> $CLIENT: frag (0|1448) 500 > 500: isakmp v1.0 exchange ID_PROT
> encrypted
> cookie: 583b9e29ae2a701f->f2257c7575eb8336 msgid: 00000000
> len: 1596
> Dec 15 13:34:23.640245 rule 11/(match) block in on bge0: $SERVER >
> $CLIENT: frag (1448|156)
>
> # pfctl -sr | egrep '(proto (ah|esp)|port = (500|isakmp))'
> pass log quick inet6 proto tcp from any to any port = 500 flags S/SA
> keep state
> pass log quick inet6 proto udp from any to any port = isakmp keep
> state pass log quick inet6 proto ah all keep state
> pass log quick inet6 proto esp all keep state
> # egrep '( (ah|esp|500))' /etc/pf.conf
> pass quick log inet6 proto { tcp, udp } to any port 500 # ISAKMP
> pass quick log inet6 proto { ah, esp} # AH, ESP
> #
>
> I don't see what's wrong here. I had not yet time to test this on 4.6.
Same with 4.6. With "pass quick log inet6" the connection is
successful. Is the packet incorrectly parsed?! The fact that the
unfragmented packet is passed would confirm that.
