From owner-freebsd-bugs@FreeBSD.ORG  Tue Feb 25 22:57:26 2014
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 6532A716;
 Tue, 25 Feb 2014 22:57:26 +0000 (UTC)
Received: from smtp.novso.com (smtp1.novso.com [193.189.104.85])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 24116152B;
 Tue, 25 Feb 2014 22:57:25 +0000 (UTC)
Message-ID: <1393369044.21345.1.camel@fr-wks3.corp.novso.com>
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating
 ipsec. example l2tp/ipsec
From: Nicolas DEFFAYET <nicolas@deffayet.com>
To: Georgios Amanakis <gamanakis@gmail.com>
Date: Tue, 25 Feb 2014 23:57:24 +0100
In-Reply-To: <CACvFP_hUOjNJ69MH7Lj5thvPjCtA_81+j-YbJMFqk6VfQbg2LQ@mail.gmail.com>
References: <CACvFP_g4L=pK3ZmZ_kSq=OO+aZANA9k--n7Uhi1Tp6ULO0JHdw@mail.gmail.com>
 <CACvFP_hUOjNJ69MH7Lj5thvPjCtA_81+j-YbJMFqk6VfQbg2LQ@mail.gmail.com>
Organization: DEFFAYET.COM
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.4.4-3 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Cc: andre@freebsd.org, melifaro@freebsd.org,
 =?UTF-8?Q?=D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80_?=
 =?UTF-8?Q?=D0=92=D0=BE=D0=BB=D0=BE=D0=B1=D1=83=D0=B5=D0=B2?=
 <a.v.volobuev@gmail.com>, freebsd-bugs@freebsd.org, bug-followup@freebsd.org
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2014 22:57:26 -0000

On Tue, 2014-02-25 at 23:24 +0100, Georgios Amanakis wrote: 
> > Index: netipsec/xform_ipip.c
> > ===================================================================
> > --- netipsec/xform_ipip.c       (revision 262492)
> > +++ netipsec/xform_ipip.c       (working copy)
> > @@ -181,6 +181,7 @@
> >         IPIPSTAT_INC(ipips_ipackets);
> >  
> >         m_copydata(m, 0, 1, &v);
> > +       m_clrprotoflags(m);
> >  
> >         switch (v >> 4) {
> >  #ifdef INET
> 
> 
> That one does not resolve it correctly, i.e. not all ipsec packets are
> captured. Furthermore, the captured packets have both directions, in
> and out (as captured by: allow ip from any to any in, allow ip from
> any to any out)

Did you test with IPsec as transport mode or as tunnel mode ? 
-- 
Nicolas DEFFAYET