Date: Sun, 26 Sep 2021 18:27:07 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Peter Jeremy <peter@rulingia.com> Cc: freebsd-net@freebsd.org Subject: Re: IPSEC problems with pf Message-ID: <1bd13e99-cd52-0e2b-35db-a74e6fb8026c@grosbein.net> In-Reply-To: <YU/lBWIQMNGQebwq@server.rulingia.com> References: <YU5ZKsBQ73UJ71r2@server.rulingia.com> <63369d6b-23f3-3d4e-4ff8-dd068c894564@grosbein.net> <88c23447-4733-80a2-cb59-f0720b4b836c@yandex.ru> <YU/lBWIQMNGQebwq@server.rulingia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
26.09.2021 10:12, Peter Jeremy wrote: > I'm confident that the last point is because the IPSEC processing preceeds > the pfil processing on outbound packets, so they aren't seen as eligible > because IPSEC is seeing the internal, rather than external, address. I found it much suitable to keep IPSec transport mode but also create gif(4) tunnel between "firewal" and "VPS" with its own pair of internal IP addresses, so traffic can be encapsulated into the tunnel first and then encrypted. So it does not need to be NAT-ed.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1bd13e99-cd52-0e2b-35db-a74e6fb8026c>