From owner-freebsd-bugs@freebsd.org Fri Dec 2 15:04:39 2016 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 258C9C62FD1 for ; Fri, 2 Dec 2016 15:04:39 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EFB001D70 for ; Fri, 2 Dec 2016 15:04:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id uB2F4cdT082952 for ; Fri, 2 Dec 2016 15:04:38 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 215006] [ipsec] Unable to use pf RDR on enc0 in transport mode Date: Fri, 02 Dec 2016 15:04:38 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: jeromecharles.lallemand@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter cc Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2016 15:04:39 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D215006 Bug ID: 215006 Summary: [ipsec] Unable to use pf RDR on enc0 in transport mode Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: jeromecharles.lallemand@gmail.com CC: bapt@FreeBSD.org I'm trying to nat packet incoming from enc0 to an other machine. The RDR statement in pf works for the incoming packet, but the reply from t= he other machine is forwarded back to the issuer without encryption. It might be because of the state matching on the reply, witch send back the reply bypassing the SPD rules. This is working flawlessly with encryption. I=E2=80=99m in a gateway setup, is there any chances to get the RDR working= with ipsec in transport mode ? Computer1 em0 | ----->IPSEC-----> | em0 Computer2 em1 | -----> | em0 Comput= er3 | 10.11.1.3 172.31.0.1 10.56.1.10 10.56.1.224 Here is my setup : ifconfig em0 : 172.31.0.1/24 em1 : 10.56.1.10/24 pf.conf : rdr on enc0 inet from 10.11.0.0/16 to 172.31.0.1 tag "balance-1" -> 10.56.1= .224 pass all setkey.conf : add -4 10.11.1.3 172.31.0.1 esp 0x100 -m transport -E rijndael-cbc "This is secret AES 256 bits key!" -A hmac-sha2-256 "This is secret HMAC 256 bits ke= y"; add -4 172.31.0.1 10.11.1.3 esp 0x101 -m transport -E rijndael-cbc "This is secret AES 256 bits key!" -A hmac-sha2-256 "This is secret HMAC 256 bits ke= y"; spdadd 10.11.1.3 172.31.0.1 any -P in ipsec esp/transport//require; spdadd 172.31.0.1 10.11.1.3 any -P out ipsec esp/transport//require; Results: ping -W1 -c1 -S 10.11.1.3 172.31.0.1 PING 172.31.0.1 (172.31.0.1) from 10.11.1.3: 56 data bytes tcpdump -ni em0 11:43:31.276852 IP 10.11.1.3 > 172.31.0.1: ESP(spi=3D0x00000100,seq=3D0x16)= , length 120 11:43:31.277594 IP 172.31.0.1 > 10.11.1.3: ICMP echo reply, id 49496, seq 0, length 64 Thank you for your help. --=20 You are receiving this mail because: You are the assignee for the bug.=