Hi everyone,

On a network, I have an openbsd 4.2/pf firewall in front of a pfsense
1.2 firewall. On a remote subnet, I have another pfSense 1.2 filtering
router.

lan1 --- pfsense ---- openbsd/pf ---- internet ---- pfsense --- lan2

I want the two pfsense boxes to be the two endpoints of an IPSec
tunnel. Until some point everything works fine, I can ping everything
in both networks and in both directions. But when I try more
sophisticated protocols, like a machine in lan2 accessing a web server
in lan1, after the connection nothing is received.

While tracking down the problem, I found out that the openbsd box is
translating some esp packets, while it doesn't with the others. Here
is a zoom of the situation, followed by the output of tcpdump on the
openbsd interfaces.

pfsense (192.168.2.254) ---- (vr1: 192.168.2.1) openbsd/pf (vr0
192.168.4.254) --- Netgear ADSL modem/router

# tcpdump -neli vr1 src 192.168.2.254 and esp
tcpdump: listening on vr1, link-type EN10MB
19:36:56.628423 mac1:mac2 0800 126: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 17 len 92
19:36:57.134092 mac1:mac2 0800 118: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 18 len 84
19:36:57.134616 mac1:mac2 0800 718: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 19 len 684
19:36:57.134662 mac1:mac2 0800 118: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 20 len 84
19:36:57.652046 mac1:mac2 0800 118: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 21 len 84
19:36:59.652491 mac1:mac2 0800 126: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 22 len 92
19:37:00.156140 mac1:mac2 0800 118: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 23 len 84
19:37:00.466714 mac1:mac2 0800 1514: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 24 len 1480 (frag 63630:1480@0+)
19:37:00.466721 mac1:mac2 0800 86: 192.168.2.254 > xxx.yyy.zzz.ttt:
(frag 63630:52@1480)
19:37:00.467405 mac1:mac2 0800 1514: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 25 len 1480 (frag 28362:1480@0+)
19:37:00.467411 mac1:mac2 0800 86: 192.168.2.254 > xxx.yyy.zzz.ttt:
(frag 28362:52@1480)
19:37:00.467938 mac1:mac2 0800 1514: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 26 len 1480 (frag 12687:1480@0+)
19:37:00.467945 mac1:mac2 0800 86: 192.168.2.254 > xxx.yyy.zzz.ttt:
(frag 12687:52@1480)
19:37:02.861559 mac1:mac2 0800 1514: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 27 len 1480 (frag 2441:1480@0+)
19:37:02.861565 mac1:mac2 0800 86: 192.168.2.254 > xxx.yyy.zzz.ttt:
(frag 2441:52@1480)
19:37:06.828151 mac1:mac2 0800 118: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 28 len 84
19:37:07.661592 mac1:mac2 0800 1514: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 29 len 1480 (frag 32178:1480@0+)
19:37:07.661597 mac1:mac2 0800 86: 192.168.2.254 > xxx.yyy.zzz.ttt:
(frag 32178:52@1480)
19:37:17.261692 mac1:mac2 0800 1514: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 30 len 1480 (frag 4847:1480@0+)
19:37:17.261698 mac1:mac2 0800 86: 192.168.2.254 > xxx.yyy.zzz.ttt:
(frag 4847:52@1480)

# tcpdump -neli vr0 src 192.168.2.254 or src 192.168.4.254 and esp
tcpdump: listening on vr0, link-type EN10MB
19:36:56.628441 mac3:mac4 0800 126: esp 192.168.4.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 17 len 92
19:36:57.134109 mac3:mac4 0800 118: esp 192.168.4.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 18 len 84
19:36:57.134632 mac3:mac4 0800 718: esp 192.168.4.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 19 len 684
19:36:57.134678 mac3:mac4 0800 118: esp 192.168.4.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 20 len 84
19:36:57.652063 mac3:mac4 0800 118: esp 192.168.4.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 21 len 84
19:36:59.652508 mac3:mac4 0800 126: esp 192.168.4.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 22 len 92
19:37:00.156157 mac3:mac4 0800 118: esp 192.168.4.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 23 len 84
19:37:00.466740 mac3:mac4 0800 1514: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 24 len 1480 (frag 63630:1480@0+)
19:37:00.466752 mac3:mac4 0800 86: 192.168.2.254 > xxx.yyy.zzz.ttt:
(frag 63630:52@1480)
19:37:00.467428 mac3:mac4 0800 1514: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 25 len 1480 (frag 28362:1480@0+)
19:37:00.467441 mac3:mac4 0800 86: 192.168.2.254 > xxx.yyy.zzz.ttt:
(frag 28362:52@1480)
19:37:00.467961 mac3:mac4 0800 1514: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 26 len 1480 (frag 12687:1480@0+)
19:37:00.467973 mac3:mac4 0800 86: 192.168.2.254 > xxx.yyy.zzz.ttt:
(frag 12687:52@1480)
19:37:02.861586 mac3:mac4 0800 1514: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 27 len 1480 (frag 2441:1480@0+)
19:37:02.861598 mac3:mac4 0800 86: 192.168.2.254 > xxx.yyy.zzz.ttt:
(frag 2441:52@1480)
19:37:06.828168 mac3:mac4 0800 118: esp 192.168.4.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 28 len 84
19:37:07.661618 mac3:mac4 0800 1514: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 29 len 1480 (frag 32178:1480@0+)
19:37:07.661628 mac3:mac4 0800 86: 192.168.2.254 > xxx.yyy.zzz.ttt:
(frag 32178:52@1480)
19:37:17.261719 mac3:mac4 0800 1514: esp 192.168.2.254 >
xxx.yyy.zzz.ttt spi 0x0971DAAD seq 30 len 1480 (frag 4847:1480@0+)

I can see that on the external interface (vr0) some packets were
translated (192.168.2.254 became 192.168.4.254), but the others
were'nt. Of course pf is configured to translate everything going out:

nat on $ext_if proto udp \
from !($ext_if) port = isakmp \
to any \
-> ($ext_if:0) static-port

nat on $ext_if from !($ext_if) -> ($ext_if:0)

So now, I don't know what to do. There are my first steps with IPSec,
and I know that it doesn't fit well with NAT. But some esp packets
*are* translated. It's a mystery for me, and any help would be
appreciated.

Thanks,

Yann