Date: Fri, 21 Jul 2017 13:21:38 +0200 From: "Muenz, Michael" <m.muenz@spam-fetish.org> To: freebsd-net@freebsd.org Subject: Re: NAT before IPSEC - reply packets stuck at enc0 Message-ID: <ef508036-02c3-9b0e-b200-86a731c8d082@spam-fetish.org> In-Reply-To: <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <a082662c-145e-0132-18ef-083adaa59c33@yandex.ru> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <cdb7e172-4074-4559-1e91-90c8e9276134@spam-fetish.org> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 21.07.2017 um 13:08 schrieb Andrey V. Elsukov: > On 21.07.2017 13:59, Muenz, Michael wrote: >> Am 19.07.2017 um 15:35 schrieb Andrey V. Elsukov: >>> Check what you will see if you set net.enc.in.ipsec_bpf_mask=3. >>> You should see the reply two times, the second one should be with >>> translated address. >>> >> Googling around with "nat before ipsec" and freebsd shows many topics >> like this. >> It seems with 11.0 release there were some significant changes to enc >> which made this impossible. > The only significant change to enc(4) was making it loadable. From other > side it still work as before. Another problem is PF-specific, PF does > if_output() after translation by self, and there is no chance for IPsec > to finish encryption. Third problem mentioned here (deadlock in pf) is > also PF-specific, and I'm not sure that it worked well before. > > With ipfw(4) it should work, at least on FreeBSD. pfsense/opensense have > their own patches, so I don't know what can be wrong there. > I know the problems with pf and FreeBSD, that's why I'm focusing on ipfw. So ipfw without natd should and Strongswan as IPSec implementation should work as expected? Then I'll try to investigate more time spending with sysctl, but I think I have tested any combination. Really appreciate you help, thanks! Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ef508036-02c3-9b0e-b200-86a731c8d082>