From eugen@grosbein.net Sun Sep 26 11:27:07 2021 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 83CAD17CE093 for ; Sun, 26 Sep 2021 11:27:17 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HHNln27Chz3lcx for ; Sun, 26 Sep 2021 11:27:16 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id 18QBRDh6064376 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 26 Sep 2021 11:27:14 GMT (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: peter@rulingia.com Received: from [10.58.0.10] (dadvw [10.58.0.10]) by eg.sd.rdtc.ru (8.16.1/8.16.1) with ESMTPS id 18QBRDGC033385 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Sun, 26 Sep 2021 18:27:13 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: IPSEC problems with pf To: Peter Jeremy References: <63369d6b-23f3-3d4e-4ff8-dd068c894564@grosbein.net> <88c23447-4733-80a2-cb59-f0720b4b836c@yandex.ru> Cc: freebsd-net@freebsd.org From: Eugene Grosbein Message-ID: <1bd13e99-cd52-0e2b-35db-a74e6fb8026c@grosbein.net> Date: Sun, 26 Sep 2021 18:27:07 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,SHORTCIRCUIT autolearn=disabled version=3.4.2 X-Spam-Report: * -0.0 SHORTCIRCUIT No description available. * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net X-Rspamd-Queue-Id: 4HHNln27Chz3lcx X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N 26.09.2021 10:12, Peter Jeremy wrote: > I'm confident that the last point is because the IPSEC processing preceeds > the pfil processing on outbound packets, so they aren't seen as eligible > because IPSEC is seeing the internal, rather than external, address. I found it much suitable to keep IPSec transport mode but also create gif(4) tunnel between "firewal" and "VPS" with its own pair of internal IP addresses, so traffic can be encapsulated into the tunnel first and then encrypted. So it does not need to be NAT-ed.