<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; ">Your help is greatly appreciated.<BR><DIV><DIV>On Aug 22, 2006, at 2:16 PM, Paul Wouters wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">On Tue, 22 Aug 2006, Brett Curtis wrote:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Rather then setting proc options in sysctl I echoed them in proc... AFAIK</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">there is no difference. ( do not want to reboot )</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Yup, that's fine.</DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV>Ok<BR><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">These 'test' rules allow me to connect</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "># TESTING RULES #</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">.......</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">This is not a good test. The decrypted esp packets will *also* show up</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">as plaintext l2tp packets in the input chain after getting decrypted.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Ok with these rules I noticed port 1701 log in my firewall however a tcpdump showed all traffic going over 4500 as it should.</DIV><DIV>So I understand what you are saying there.</DIV><BR><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">The idea of my rules was to mark all ESP packets. This mark survives</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">decrypting, so then we have l2tp packets with the mark. Since we allow</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">all packets with the mark with an ACCEPT rule, these get accepted. Then</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">you should *block* l2tp packets with an append (-A) rule. The result is</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">that when the l2tp was encrypted, the marked packet will be allowed,</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">but if it came in unencrypted, there is no accept rule for it and it</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">hits the drop rule for l2tp.</DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Ok I was able to test these rules...</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>iptables -t mangle -A INPUT --proto esp -j MARK --set-mark 1</DIV><DIV>iptables -A INPUT -i eth0 -m mark --mark 1 -j LOG --log-prefix "Mark 1:"</DIV><DIV>iptables -A INPUT -i eth0 -m mark --mark 1 -j ACCEPT</DIV><DIV>iptables -A INPUT -i eth0 -p udp --dport 1701 -j LOG --log-prefix "L2TP Drop:"</DIV><DIV>iptables -A INPUT -i eth0 -p udp --dport 1701 -j DROP</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Same as yours just with a bit more logging. Interestingly enough Packets are never marked!</DIV><DIV>Fails the same way.. dropping of port 1701.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Seems mark in iptables is working I tested this by marking everything with a source address from my XP machine. </DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>$IPT -t mangle -A INPUT -i $EXTIF -s 24.39.31.52 -j MARK --set-mark 2</DIV><DIV>$IPT -A INPUT -i $EXTIF -m mark --mark 2 -j LOG --log-prefix "Match 2:"</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>and simple ping just to see if match is working as it should..</DIV><DIV><BR class="khtml-block-placeholder"></DIV></DIV><DIV><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Nothing is ever hitting my Match rule I put logging in and nothing comes up</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">maybe my problem is there..</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I also didn't use a match and allowed all esp and still the same results...</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">not sure if this is valid but I also tried tcpdump -i eth0 esp and nothing</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">showed.. No esp packets.</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">netkey is a bit odd, but I believe for incoming you should see both encrypted</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">and decrypted packets. I guess you should verify your Windows l2tp connection</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">definition.</DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV>I doubled check the XP client and also tried with OSX.<BR><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Also, to verify/check windows is using ipsec, you can enable OAKLEY.LOG</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">debugging and then check to see if it is attempting ipsec or not.</DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV>At this point would this log help? I could attach it..<BR><DIV><BR class="khtml-block-placeholder"></DIV><DIV>So what i think... my esp packets are not matched and I have _no_ idea why. Ideas anyone?</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>If folks think I am on the write path I may try to roll back to an older kernel this weekend.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>It has been a truly long day and I tend to lose my mind after so much debugging ;) so I will pick this up in the morning.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Thanks again, nice to have someone to bounce off of where as I am the only IT guy at the company.</DIV></DIV><DIV><BR><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Paul</DIV> </BLOCKQUOTE></DIV><BR><DIV> <SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Eurostile; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Eurostile; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><DIV>Brett Curtis</DIV><DIV><A href="mailto:dashnu@gmail.com">dashnu@gmail.com</A></DIV><DIV><A href="http://teh.sh.nu">http://teh.sh.nu</A></DIV><DIV><BR class="khtml-block-placeholder"></DIV><BR class="Apple-interchange-newline"></SPAN></SPAN> </DIV><BR></BODY></HTML>