Re: [4.5] Unable to connect using IPSEC over IPv6
* Helmut Schneider jumpe...@gmx.de [2009-12-18 08:30]: Henning Brauer wrote: * Stuart Henderson s...@spacehopper.org [2009-12-16 16:00]: On 2009/12/16 13:27, Helmut Schneider wrote: [...] Dec 15 13:34:23.640235 rule 11/(match) block in on bge0: $SERVER $CLIENT: frag (0|1448) 500 500: isakmp v1.0 exchange ID_PROT encrypted cookie: 583b9e29ae2a701f-f2257c7575eb8336 msgid: len: 1596 Dec 15 13:34:23.640245 rule 11/(match) block in on bge0: $SERVER $CLIENT: frag (1448|156) Same with 4.6. With pass quick log inet6 the connection is successful. Is the packet incorrectly parsed?! The fact that the unfragmented packet is passed would confirm that. PF doesn't support IPv6 fragments yet. yet. hah. hah in the sense of It's cooking or in the sense of Are you kidding? http://www.mail-archive.com/m...@openbsd.org/msg84332.html pp. raised hopes. nobody is actively working on anything in that direction afaik. chances are the hole v6 mess is declared obsolete before we get into this mess (heh, mess on top of mess, get dirty). all hail ipv4/64! -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: [4.5] Unable to connect using IPSEC over IPv6
* Stuart Henderson s...@spacehopper.org [2009-12-16 16:00]: On 2009/12/16 13:27, Helmut Schneider wrote: [...] Dec 15 13:34:23.640235 rule 11/(match) block in on bge0: $SERVER $CLIENT: frag (0|1448) 500 500: isakmp v1.0 exchange ID_PROT encrypted cookie: 583b9e29ae2a701f-f2257c7575eb8336 msgid: len: 1596 Dec 15 13:34:23.640245 rule 11/(match) block in on bge0: $SERVER $CLIENT: frag (1448|156) Same with 4.6. With pass quick log inet6 the connection is successful. Is the packet incorrectly parsed?! The fact that the unfragmented packet is passed would confirm that. PF doesn't support IPv6 fragments yet. yet. hah. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: [4.5] Unable to connect using IPSEC over IPv6
Henning Brauer wrote: * Stuart Henderson s...@spacehopper.org [2009-12-16 16:00]: On 2009/12/16 13:27, Helmut Schneider wrote: [...] Dec 15 13:34:23.640235 rule 11/(match) block in on bge0: $SERVER $CLIENT: frag (0|1448) 500 500: isakmp v1.0 exchange ID_PROT encrypted cookie: 583b9e29ae2a701f-f2257c7575eb8336 msgid: len: 1596 Dec 15 13:34:23.640245 rule 11/(match) block in on bge0: $SERVER $CLIENT: frag (1448|156) Same with 4.6. With pass quick log inet6 the connection is successful. Is the packet incorrectly parsed?! The fact that the unfragmented packet is passed would confirm that. PF doesn't support IPv6 fragments yet. yet. hah. hah in the sense of It's cooking or in the sense of Are you kidding? http://www.mail-archive.com/m...@openbsd.org/msg84332.html pp. raised hopes.
Re: [4.5] Unable to connect using IPSEC over IPv6
Helmut Schneider wrote:
Dec 15 13:34:22.649843 rule 11/(match) block in on bge0: $SERVER
$CLIENT: frag (0|1448) 500 500: isakmp v1.0 exchange ID_PROT
encrypted
cookie: 583b9e29ae2a701f-f2257c7575eb8336 msgid:
len: 1596
Dec 15 13:34:22.649854 rule 11/(match) block in on bge0: $SERVER
$CLIENT: frag (1448|156)
[...]
Dec 15 13:34:23.640235 rule 11/(match) block in on bge0: $SERVER
$CLIENT: frag (0|1448) 500 500: isakmp v1.0 exchange ID_PROT
encrypted
cookie: 583b9e29ae2a701f-f2257c7575eb8336 msgid:
len: 1596
Dec 15 13:34:23.640245 rule 11/(match) block in on bge0: $SERVER
$CLIENT: frag (1448|156)
# pfctl -sr | egrep '(proto (ah|esp)|port = (500|isakmp))'
pass log quick inet6 proto tcp from any to any port = 500 flags S/SA
keep state
pass log quick inet6 proto udp from any to any port = isakmp keep
state pass log quick inet6 proto ah all keep state
pass log quick inet6 proto esp all keep state
# egrep '( (ah|esp|500))' /etc/pf.conf
pass quick log inet6 proto { tcp, udp } to any port 500 # ISAKMP
pass quick log inet6 proto { ah, esp} # AH, ESP
#
I don't see what's wrong here. I had not yet time to test this on 4.6.
Same with 4.6. With pass quick log inet6 the connection is
successful. Is the packet incorrectly parsed?! The fact that the
unfragmented packet is passed would confirm that.
Re: [4.5] Unable to connect using IPSEC over IPv6
On 2009/12/16 13:27, Helmut Schneider wrote: [...] Dec 15 13:34:23.640235 rule 11/(match) block in on bge0: $SERVER $CLIENT: frag (0|1448) 500 500: isakmp v1.0 exchange ID_PROT encrypted cookie: 583b9e29ae2a701f-f2257c7575eb8336 msgid: len: 1596 Dec 15 13:34:23.640245 rule 11/(match) block in on bge0: $SERVER $CLIENT: frag (1448|156) Same with 4.6. With pass quick log inet6 the connection is successful. Is the packet incorrectly parsed?! The fact that the unfragmented packet is passed would confirm that. PF doesn't support IPv6 fragments yet.
Re: [4.5] Unable to connect using IPSEC over IPv6
Stuart Henderson wrote: On 2009/12/16 13:27, Helmut Schneider wrote: [...] Dec 15 13:34:23.640235 rule 11/(match) block in on bge0: $SERVER $CLIENT: frag (0|1448) 500 500: isakmp v1.0 exchange ID_PROT encrypted cookie: 583b9e29ae2a701f-f2257c7575eb8336 msgid: len: 1596 Dec 15 13:34:23.640245 rule 11/(match) block in on bge0: $SERVER $CLIENT: frag (1448|156) Same with 4.6. With pass quick log inet6 the connection is successful. Is the packet incorrectly parsed?! The fact that the unfragmented packet is passed would confirm that. PF doesn't support IPv6 fragments yet. Too bad... :(
