# IPSec + ipv6 + pf = problem



## STux (Aug 23, 2010)

Hello guys, 

I'm running FreeBSD 8.0 and I experience a problem with pf . 

The network configuration is the following : 

NetworkA (ipv6) <=> gwA (openbsd) <=> wan (ipv6/ipsec) <=> gwB (freebsd) <=> NetworkB (ipv6)

OpenBsd is running isakmpd , and seems working well. FreeBSD is running racoon (ipsec-tools from ports)

without pf enabled on freebsd ipv6/ipsec tunnel works well (tcpdump approves it) : machines on networkB access to networkA and machines on network A access to networkB


```
23:30:00.815393 IP6 freebsd > openbsd: ESP pi=0x0b9ef32c,seq=0xe), length 92
23:30:00.815546 IP6 openbsd > freebsd: ESP spi=0xf3cb2428,seq=0x1a), length 92
```

with pf enabled : tcpdump continues to show similar packets , machines on networkA continue to access to NetworkB *BUT* machines on networkB are blocked by PF, but for a singular reason. 

pflog, shows unencrypted packets from NetworkA to NetworkB : example to an ssh connexion initiated from NetworkB to NetworkA  (this applies to all protocols except ICMP) : 


```
00:00:00.000000 IP6 MachineA.ssh > MachineB.52719: Flags [S.], seq 1862827950, ack 2014870766, win 5712, options [mss 1440,sackOK,TS val 
211216935 ecr 257703668,nop,wscale 4], length 0
```

Please note the source port . 


I've tcpdumped on openbsd, and no packet is transmitted in clear from NetworkA to NetworkB. pf is enabled on OpenBSD. I don't think OpenBSD is the problem. 

when pf is disabled on freebsd, there no packet transmitted in clear from NetworkA to NetworkB : Only encrypted packets from gwA to gwB and from gwB to gwA. 

So I think there is a problem after decryption of packet by racoon. But I don't see why. 

For information : sample of pf.conf, which causes problem. 


```
ext_if="sis0"
int_if="sis1"

set skip on { lo0 enc0 }
set state-policy if-bound
set block-policy return
scrub in  all

block in log (all, to pflog0)

pass out keep state

pass in on $ext_if keep state
pass in on $int_if keep state
```

Any advice ? 

Thanks. 

Christophe.


----------



## rbaylon (May 23, 2012)

The problem here is with pf. *I*t is blocking the packet for TCP 3-way handshake. This traffic

```
00:00:00.000000 IP6 MachineA.ssh > MachineB.52719: Flags [S.], seq 1862827950, ack 2014870766, win 5712, options [mss 1440,sackOK,TS val 
211216935 ecr 257703668,nop,wscale 4], length 0
```
means that this is a respon*s*e packet from MachineA to MachineB with a SYN+ACK flag. 

The default flags for pf are "flags S/SA" which means it will only accept SYN packets for new connections.

SYN+ACK or SA should not be blocked if there are existing state*s*. I*'*m not sure if the creation of states is the issue here but I*'*m sure that setting the TCP flag to "flags any" can solve this problem for now.

Temporary solution for this is to add "flags any" in your pf pass rule for network A and network B.


```
pass in on $ext_if from $networkA to $networkB flags any keep state
```

Maybe some pf devs can shed light on this problem because *I'm* sure that this is a bug.


----------



## unix_united (Sep 27, 2012)

*IPV6 with racoon and feebsd*

Hi there,

I hope you found the solution to this problem, since I am trying to do something similar. Could you please share some configs on FreeBSD on how to create an IPv6 IPSEC Tunnel with racoon?

Cheers,
Norman


----------



## STux (Sep 29, 2012)

*racoon.conf*

Hi,



			
				unix_united said:
			
		

> Could you please share some configs on FreeBSD on how to create an IPv6 IPSEC Tunnel with racoon?



Here is the racoon.conf I used on FreeBSD. 


```
path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

# "padding" defines some padding parameters.
# You should not touch these.
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

listen
{
        isakmp 2001:abcd:ef:1234::1;
}

remote anonymous
{
        exchange_mode main;
        doi ipsec_doi;
        situation identity_only;

        my_identifier address;

        initial_contact on;
        proposal_check obey;

        proposal {
                encryption_algorithm blowfish;
                hash_algorithm sha1;
		authentication_method pre_shared_key;
                dh_group modp1024;
        }
}

sainfo anonymous
{
        pfs_group modp1024;
        encryption_algorithm blowfish;
        authentication_algorithm hmac_sha256;
        compression_algorithm deflate;
}
```

Unfortunately, I no longer have the OpenBSD side. 

Hope that helps. 

Christophe.


----------



## aebel (Jan 15, 2013)

Hi,

*I* have the same problem with two FreeBSD Gateways.

*My Network config (ipv6):*
NetworkA (ipv6) <=> GatewayA (FreeBSD) <=> wan (ipv6/ipsec) <=> GatewayB (FreeBSD) <=> NetworkB (ipv6)

I have configured pf on both gateways. Without the tunnel, ssh works fine but after the esp-tunnel is established I cannot ssh from a Host on NetworkA to GatewayB. ICMP Ping however works great. I have also tr*i*ed to add flags any to my pf rules but it didn't work.

Here is the output of my pflog:

```
00:00:00.199451 rule 1..16777216/0(match): block in on tun0: GatewayB.22 > MaschineA.10373: Flags [S.],
seq 31273801, ack 166    3479153, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2779619159 ecr 513063378], length 0
```

*A*ny help would be appreciated.

Alexander


----------



## J65nko (Jan 15, 2013)

Just like the original poster pf somehow blocks the second packet of the 3 way TCP handshake.
For an explanation of this handshake see http://en.wikipedia.org/wiki/3_way_handshake#Connection_establishment

The *Create TCP states on the initial SYN packet* section of
Testing your firewall goes into detail which problems you can expect if you don't create state on the first TCP SYN packet.

After the tunnel is established do you see a corresponding entry in the pf state table for it?


----------



## aebel (Jan 16, 2013)

J65nko said:
			
		

> After the tunnel is established do you see a corresponding entry in the pf state table for it?



_pftop_ on GatewayA shows me the following output:

```
esp   Out GatewayA::1[0]   GatewayB::1[0]   MULTIPLE:MULTIPLE   00:00:10  00:00:59   20   3200
```


----------



## aebel (Jan 22, 2013)

When I initiate the IPSEC-connection in transport mode with '_esp/transport_' in my setkey.conf, PF *dose not* block any packets from the handshake and ssh works!

However, when I switch back to '_esp/tunnel_' the problem remains. Only if I add '_set skip in $ipv6_if_ in my pf.conf ssh begins to work.


----------

