From owner-freebsd-net@freebsd.org Fri Jul 21 11:21:26 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A1B38DA4774 for ; Fri, 21 Jul 2017 11:21:26 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5EFB16C837 for ; Fri, 21 Jul 2017 11:21:26 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id 31BFC4C; Fri, 21 Jul 2017 13:21:24 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id 20FAC28B848; Fri, 21 Jul 2017 13:21:24 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id awPvyWnbC2LB; Fri, 21 Jul 2017 13:21:23 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id D830228B842; Fri, 21 Jul 2017 13:21:23 +0200 (CEST) Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> From: "Muenz, Michael" Message-ID: Date: Fri, 21 Jul 2017 13:21:38 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 11:21:26 -0000 Am 21.07.2017 um 13:08 schrieb Andrey V. Elsukov: > On 21.07.2017 13:59, Muenz, Michael wrote: >> Am 19.07.2017 um 15:35 schrieb Andrey V. Elsukov: >>> Check what you will see if you set net.enc.in.ipsec_bpf_mask=3. >>> You should see the reply two times, the second one should be with >>> translated address. >>> >> Googling around with "nat before ipsec" and freebsd shows many topics >> like this. >> It seems with 11.0 release there were some significant changes to enc >> which made this impossible. > The only significant change to enc(4) was making it loadable. From other > side it still work as before. Another problem is PF-specific, PF does > if_output() after translation by self, and there is no chance for IPsec > to finish encryption. Third problem mentioned here (deadlock in pf) is > also PF-specific, and I'm not sure that it worked well before. > > With ipfw(4) it should work, at least on FreeBSD. pfsense/opensense have > their own patches, so I don't know what can be wrong there. > I know the problems with pf and FreeBSD, that's why I'm focusing on ipfw. So ipfw without natd should and Strongswan as IPSec implementation should work as expected? Then I'll try to investigate more time spending with sysctl, but I think I have tested any combination. Really appreciate you help, thanks! Michael