Date: Sat, 25 Sep 2021 07:31:11 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Peter Jeremy <peter@rulingia.com>, freebsd-net@freebsd.org Cc: "Andrey V. Elsukov" <ae@FreeBSD.org>, "Alexander V. Chernikov" <melifaro@freebsd.org> Subject: Re: IPSEC problems with pf Message-ID: <63369d6b-23f3-3d4e-4ff8-dd068c894564@grosbein.net> In-Reply-To: <YU5ZKsBQ73UJ71r2@server.rulingia.com> References: <YU5ZKsBQ73UJ71r2@server.rulingia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
CC'ing more knowledgeable developers. 25.09.2021 6:03, Peter Jeremy wrote: > I don't understand: > a) Why outgoing ICMP packets from firewall to VPS aren't going through > the IPSEC transport. > b) Why firewall is ignoring incoming IPSEC esp packets. > > Is anyone able to help? I know three main reasons that may prevent firewall+IPSec from working as expected: 1) for incoming packets: kernel could drop incoming packet withing ipsec code incrementing one of counters shown with "netstat -sp ipsec" command, so you should check it out first; 2) for both outgoing and incoming packets there could be processing order problem: packets processed first by pfil(9) framework (so pf/ipfw have a chance to do NAT etc.) and only then sent to ipsec(4) to transform (in FreeBSD 11 at least), not vice versa. 3) also read if_enc(4) manual page to make familiar with net.enc.out.* and net.enc.in.* sysctl family, as it may affect, too. If you do not use enc(4) pseudo-interface, make sure you changed defaults to: net.enc.in.ipsec_filter_mask=0 net.enc.out.ipsec_filter_mask=0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?63369d6b-23f3-3d4e-4ff8-dd068c894564>