Subject: Re: ipsec/ipfilter interaction problem
To: Christoph Kaegi <kgc@zhwin.ch>
From: Daniel Carosone <dan@geek.com.au>
List: tech-crypto
Date: 09/26/2003 06:53:25
On Thu, Sep 25, 2003 at 08:38:50PM +0200, Christoph Kaegi wrote:
>
> The docs on www.netbsd.org/Documentation/network/ipsec/#ipf-interaction
> say that ipf looks at packets BEFORE IPSEC processing on inbound traffic
> and AFTER IPSEC processing on outbound traffic.
Yes.
> But suddenly, (after some amount of time or bytes) when I try to
> ssh from one to the other machine or when trying to send mail,
> the SYN-ACK reply of the responding machine gets blocked by its
> ipfilter:
>
> -------------------------------------- 8< --------------------------------------
> Sep 25 20:13:45 hostb ipmon[102]: 20:13:44.159219 fxp1 @0:18 b 1.2.3.4,22 -> 5.6.7.8,52161 PR tcp len 20 60 -AS 861376014 1945689524 16384 OUT
> -------------------------------------- 8< --------------------------------------
>
> This means, ipf blocks the packet, before it is IPSEC processed.
Or it means the packet wasn't IPSEC processed, did the SA die?
> Running /etc/rc.d/ipsec reload on that machines cures the problem.
Ahuh, so perhaps the SA did die.
You shouldn't need/have the "0.0.0.0 none" entries, but that in
itself won't make the SA go away.
--
Dan.