Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 27 Nov 2023 13:23:48 +0000
From:      bugzilla-noreply@freebsd.org
To:        pf@FreeBSD.org
Subject:   [Bug 273198] [14.0 CURRENT] PF recognizes encrypted IPSec traffic as coming from WAN. | NAT with IPsec Phase 2 Networks
Message-ID:  <bug-273198-16861-nDk3tRQxq0@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-273198-16861@https.bugs.freebsd.org/bugzilla/>
References:  <bug-273198-16861@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273198

cArleone <32carleone@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |32carleone@gmail.com

--- Comment #1 from cArleone <32carleone@gmail.com> ---
Hello,
this error persists in FreeBSD-14 RELEASE. I tested it today.
The response from Ipsec still seems to be coming from the wan interface.

# Since it seems to be coming from the wan, it is blocked by entering my wr=
ong
rule.
block drop in log quick on pppoe_igc1 from any to any  tag "wan" ridentifier
100000001

# pflog
100000001]: block in on pppoe_igc1: 32.32.32.32.443 > 192.168.1.233.54146:
Flags [S.], seg 1260103609, ack 142834308, win 65535,options [mss 1460, nop,
wscale 8, nop, nop, sackoK], length o

# my nat rule
nat log on enc0  inet  from  { 192.168.1.0/24 }  to  { 32.32.32.32/32 }    =
->=20
10.200.100.1/32


# swanctl --list-sas
ipsec2000: #18, ESTABLISHED, IKEv1, 006cc2d48e260de2_i 768af4a1fdc970bf_r*
  local  '95.95.95.95' @ 95.95.95.8[4500]
  remote '212.212.212.212' @ 212.212.212.212[4500]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 20485s ago, reauth in 56685s
  ipsec2001: #23, reqid 1, INSTALLED, TUNNEL-in-UDP,
ESP:AES_CBC-256/HMAC_SHA2_256_128
    installed 2757s ago, rekeying in 135s, expires in 843s
    in  c2ad555f, 716504 bytes,   535 packets, 14249s ago
    out c89f82d4,  70100 bytes,   523 packets,  1143s ago
    local  10.200.100.1/32|192.168.1.0/24
    remote 32.32.32.32/32|/0

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-273198-16861-nDk3tRQxq0>