Date: Wed, 05 Aug 2020 14:20:40 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 248474] NAT broken on IPsec/VTI [if_ipsec] Message-ID: <bug-248474-7501-UUlg3fcWgQ@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-248474-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-248474-7501@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474 Andrey V. Elsukov <ae@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kp@freebsd.org --- Comment #9 from Andrey V. Elsukov <ae@FreeBSD.org> --- (In reply to Michael Muenz from comment #8) AFAIK, pf NAT and route-to rules work as last point in the network stack, i.e. pf doesn't reinject packet back to the stack and there is no way for IPsec to catch the packet to make IPsec transformation. If you want to make it works, you need to patch pf(4) and add IPSEC_OUTPUT()/IPSEC_FORWARD() methods to some points, where pf does send to the network interface like IP output routines do. Probably some changes also are required in the inbound path. I don't think that proposed for strongswan change will help. -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-248474-7501-UUlg3fcWgQ>