From nobody Sat Sep 25 13:06:55 2021
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 7393217DCFE3
	for <freebsd-net@mlmmj.nyi.freebsd.org>; Sat, 25 Sep 2021 13:07:06 +0000 (UTC)
	(envelope-from bu7cher@yandex.ru)
Received: from forward501o.mail.yandex.net (forward501o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::611])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HGq1Q0yxmz4WBL;
	Sat, 25 Sep 2021 13:07:06 +0000 (UTC)
	(envelope-from bu7cher@yandex.ru)
Received: from myt5-8352ee26fe0c.qloud-c.yandex.net (myt5-8352ee26fe0c.qloud-c.yandex.net [IPv6:2a02:6b8:c00:25a5:0:640:8352:ee26])
	by forward501o.mail.yandex.net (Yandex) with ESMTP id 41FDD45C492F;
	Sat, 25 Sep 2021 16:06:57 +0300 (MSK)
Received: from myt6-9bdf92ffd111.qloud-c.yandex.net (myt6-9bdf92ffd111.qloud-c.yandex.net [2a02:6b8:c12:468a:0:640:9bdf:92ff])
	by myt5-8352ee26fe0c.qloud-c.yandex.net (mxback/Yandex) with ESMTP id q1VWo6w2BF-6uDOtFFB;
	Sat, 25 Sep 2021 16:06:57 +0300
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1632575217;
	bh=haSsAzU+Mz8W1eyTTU0rpOSoCw3NjhMzx/j92yuMnmE=;
	h=In-Reply-To:Message-ID:Subject:From:Date:References:To:Cc;
	b=aHWg+Zp/e489AI7cs+WWUSIDBQC3tjnNPj1w6aowz1rUWKGcN6mWfAn3Fo3c1T47W
	 bg8rBsKM32bnAxHitcQwMyje66IZ9N5Yqo5Dke+lPsnuJ/7aUZkXim0p9C1yrvlc9g
	 /0w5fz0CDiAorhTiK/O2dnG772VWeMFfLLp97lGc=
Received: by myt6-9bdf92ffd111.qloud-c.yandex.net (smtp/Yandex) with ESMTPSA id uHsC8AjYJB-6utOAF3e;
	Sat, 25 Sep 2021 16:06:56 +0300
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client certificate not present)
To: Eugene Grosbein <eugen@grosbein.net>, Peter Jeremy <peter@rulingia.com>,
 freebsd-net@freebsd.org
Cc: "Alexander V. Chernikov" <melifaro@freebsd.org>
References: <YU5ZKsBQ73UJ71r2@server.rulingia.com>
 <63369d6b-23f3-3d4e-4ff8-dd068c894564@grosbein.net>
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Subject: Re: IPSEC problems with pf
Message-ID: <88c23447-4733-80a2-cb59-f0720b4b836c@yandex.ru>
Date: Sat, 25 Sep 2021 16:06:55 +0300
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101
 Thunderbird/78.11.0
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@freebsd.org
MIME-Version: 1.0
In-Reply-To: <63369d6b-23f3-3d4e-4ff8-dd068c894564@grosbein.net>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="V0ztE45uJGVcruDR7YmDHwMvWDeTkV8AH"
X-Rspamd-Queue-Id: 4HGq1Q0yxmz4WBL
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-ThisMailContainsUnwantedMimeParts: N

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--V0ztE45uJGVcruDR7YmDHwMvWDeTkV8AH
Content-Type: multipart/mixed; boundary="SlsvOmUFeREmqktIoiWv2QCgH6FJhr4Zo";
 protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Eugene Grosbein <eugen@grosbein.net>, Peter Jeremy <peter@rulingia.com>,
 freebsd-net@freebsd.org
Cc: "Alexander V. Chernikov" <melifaro@freebsd.org>
Message-ID: <88c23447-4733-80a2-cb59-f0720b4b836c@yandex.ru>
Subject: Re: IPSEC problems with pf
References: <YU5ZKsBQ73UJ71r2@server.rulingia.com>
 <63369d6b-23f3-3d4e-4ff8-dd068c894564@grosbein.net>
In-Reply-To: <63369d6b-23f3-3d4e-4ff8-dd068c894564@grosbein.net>

--SlsvOmUFeREmqktIoiWv2QCgH6FJhr4Zo
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

25.09.2021 03:31, Eugene Grosbein =D0=BF=D0=B8=D1=88=D0=B5=D1=82:
> I know three main reasons that may prevent firewall+IPSec from working =
as expected:
>=20
> 1) for incoming packets: kernel could drop incoming packet withing ipse=
c code
> incrementing one of counters shown with "netstat -sp ipsec" command,
> so you should check it out first;
>=20
> 2) for both outgoing and incoming packets there could be processing ord=
er problem:
> packets processed first by pfil(9) framework (so pf/ipfw have a chance =
to do NAT etc.)
> and only then sent to ipsec(4) to transform (in FreeBSD 11 at least), n=
ot vice versa.

AFAIK, pf does not send packets to IPsec processing after NAT. You need
to make translation after IPsec processing using the if_enc interface.

>=20
> 3) also read if_enc(4) manual page to make familiar with net.enc.out.* =
and net.enc.in.* sysctl family,
> as it may affect, too. If you do not use enc(4) pseudo-interface, make =
sure you changed defaults to:
>=20
> net.enc.in.ipsec_filter_mask=3D0
> net.enc.out.ipsec_filter_mask=3D0
Another important variable that needs an attention is
net.inet.ipsec.filtertunnel

--=20
WBR, Andrey V. Elsukov


--SlsvOmUFeREmqktIoiWv2QCgH6FJhr4Zo--

--V0ztE45uJGVcruDR7YmDHwMvWDeTkV8AH
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAmFPHvAFAwAAAAAACgkQAcXqBBDIoXoX
Agf8DgojYjf9yuGe8HjGByBJAJEUh3ZPeeIg2tGJherPXIgfWQIJGU3ksvRAqo74U58TPTiLTAzp
eel/LAX930hBG42PX7aJxsiSPjzbpXvDadrK7FJUsf1q4QmwPSaFzWSUo0xtq3GDCIGUDMAiwk0i
MzPBaj3kXjU5j3LrnRGFv5VO+9/4C7IxWeaqdEC4odaktn1VPJgpoA00j25PzjSsSfoY/OaWuGZK
7RgEE68c5o7vchBq8zMJwLhQsocrsgefxn+LmQGAa+W1WPBGJpX33ac0/byFcGSVZGn0RCxDCahN
1O1E6xigdEubbxoLPO6FB8X/CEyesSbj1ZPVoAsW1Q==
=uDp2
-----END PGP SIGNATURE-----

--V0ztE45uJGVcruDR7YmDHwMvWDeTkV8AH--