Date: Sat, 14 Oct 2023 17:29:03 +0300 From: Victor Gamov <vitspec@gmail.com> To: freebsd-net <freebsd-net@freebsd.org> Subject: Re: Packet forwarding stooped when Strongswan install IPsec policy Message-ID: <CAPOOyvkamPVf-M5uPrABQJSbaSD%2BtbM14C7vv9MJX4cD17tu8w@mail.gmail.com> In-Reply-To: <CAPOOyvkH1WA0KMD1jBHPV_HiFpUZ-op9tjq-LtFOa6r2FtJhOA@mail.gmail.com> References: <CAPOOyvkH1WA0KMD1jBHPV_HiFpUZ-op9tjq-LtFOa6r2FtJhOA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000004d45b50607adffed
Content-Type: text/plain; charset="UTF-8"
After more investigation tunnel up and worked:
etc/strongswan.d/charon.conf:
=====
install_routes = no
=====
This was disabled at first time but lost during configuration experiments.
etc/ipsec.conf:
=====
conn pop4-to-pop12-routed
installpolicy = no
=====
On Sat, 14 Oct 2023 at 13:25, Victor Gamov <vitspec@gmail.com> wrote:
> Hi All
>
> I have FreeBSD 13.2-STABLE stable/13-n255939-b9da47180fd6 GENERIC amd64
> machine with strongswan-5.9.11_2 installed by pkg.
>
> When routed ipsec is up all outgoing packets forwarded into ipsec-tunnel
> so networking is immediately fails.
>
> FreeBSD config:
> =====
> net.fibs=4
> net.inet.ip.forwarding=1
> =====
>
>
> ifconfig ipsec10121
> =====
> ipsec10121: flags=8050<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
> description: PoP-12
> tunnel inet 1.1.1.2 --> 2.2.2.2
> inet 172.16.110.129 --> 172.16.110.130 netmask 0xfffffffc
> groups: ipsec
> reqid: 10121
> nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
> =====
>
>
> strongswan etc/ipsec.conf:
> =====
> conn pop4-to-pop12-routed
> # also = tmpl_route_based
> left = 1.1.1.2
> right = 2.2.2.2
> leftsubnet = 0.0.0.0/0
> rightsubnet = 0.0.0.0/0
> reqid = 10121
> type = tunnel
> authby = psk
> keyexchange = ikev2
> ike = aes256-sha256-modp3072,aes256-sha256-modp3072
> esp = aes256-sha256-modp3072,aes256-sha256-modp3072
> ikelifetime = 28800
> mobike = no
> lifetime = 3600
> dpdaction = restart
> dpddelay = 30s
> auto = start
> =====
>
>
> strongswan etc/strongswan.d/charon/kernel-pfkey.conf:
> =====
> kernel-pfkey {
> load = yes
> # route_via_internal = no
> }
> =====
>
>
> route -n monitor
> =====
> got message of size 272 on Sat Oct 14 12:39:39 2023
> RTM_GET: Report Metrics: len 272, pid: 49695, seq 1, errno 0,
> flags:<UP,GATEWAY,DONE,STATIC>
> locks: inits:
> sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
> 0.0.0.0 1.1.1.1 0.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
>
> got message of size 200 on Sat Oct 14 12:39:39 2023
> RTM_GET: Report Metrics: len 200, pid: 49695, seq 2, errno 0,
> flags:<UP,GATEWAY,DONE,STATIC>
> locks: inits:
> sockaddrs: <DST,GATEWAY,NETMASK>
> 0.0.0.0 1.1.1.1 0.0.0.0
>
> got message of size 256 on Sat Oct 14 12:39:39 2023
> RTM_ADD: Add Route: len 256, pid: 49695, seq 3, errno 0,
> flags:<UP,GATEWAY,HOST,DONE,STATIC>
> locks: inits:
> sockaddrs: <DST,GATEWAY,IFP,IFA>
> 2.2.2.2 1.1.1.1 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
>
> got message of size 272 on Sat Oct 14 12:39:39 2023
> RTM_ADD: Add Route: len 272, pid: 49695, seq 5, errno 0,
> flags:<UP,DONE,STATIC>
> locks: inits:
> sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
> 128.0.0.0 1.1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
>
> got message of size 272 on Sat Oct 14 12:39:39 2023
> RTM_ADD: Add Route: len 272, pid: 49695, seq 4, errno 0,
> flags:<UP,DONE,STATIC>
> locks: inits:
> sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
> 0.0.0.0 1.1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
> =====
>
>
> netstat -r -nW4:
> =====
> Routing tables
>
> Internet:
> Destination Gateway Flags Nhop# Mtu Netif
> Expire
> 0.0.0.0/1 195.34.58.166 US 12 1500 vlan200
> default 195.34.58.166 UGS 6 1500 vlan200
> 10.4.102.128/31 link#8 U 8 1500 vlan22
> 10.4.102.129 link#8 UHS 7 16384 lo0
> 31.131.95.64/27 127.0.0.1 U1B 9 16384 lo0
> 46.243.226.103 195.34.58.166 UGHS 10 1500 vlan200
> 127.0.0.1 link#5 UHS 1 16384 lo0
> 128.0.0.0/1 195.34.58.166 US 12 1500 vlan200
> 172.16.110.12/31 link#4 U 2 1500 ixl3
> 172.16.110.13 link#4 UHS 3 16384 lo0
> 172.16.110.129 link#11 UHS 11 16384 lo0
> 195.34.58.166/31 link#7 U 4 1500 vlan200
> 195.34.58.167 link#7 UHS 5 16384 lo0
> =====
>
>
> netstat -o -nW4
> =====
> Nexthop data
>
> Internet:
> Idx Type IFA Gateway Flags Use
> Mtu Netif Addrif Refcnt Prepend
> 1 v4/resolve 127.0.0.1 lo0/resolve HS 1366
> 16384 lo0 2
> 2 v4/resolve 172.16.110.13 ixl3/resolve 0
> 1500 ixl3 2
> 3 v4/resolve 127.0.0.1 lo0/resolve HS 0
> 16384 lo0 ixl3 2
> 4 v4/resolve 195.34.58.167 vlan200/resolve 51749
> 1500 vlan200 4
> 5 v4/resolve 127.0.0.1 lo0/resolve HS 0
> 16384 lo0 vlan200 2
> 6 v4/gw 195.34.58.167 195.34.58.166 GS 37902
> 1500 vlan200 2
> 7 v4/resolve 127.0.0.1 lo0/resolve HS 0
> 16384 lo0 vlan22 2
> 8 v4/resolve 10.4.102.129 vlan22/resolve 3
> 1500 vlan22 2
> 9 v4/resolve 127.0.0.1 lo0/resolve 1B 0
> 16384 lo0 2
> 10 v4/gw 195.34.58.167 195.34.58.166 GHS 0
> 1500 vlan200 2
> 11 v4/resolve 127.0.0.1 lo0/resolve HS 0
> 16384 lo0ipsec10121 2
> 12 v4/resolve 195.34.58.167 vlan200/resolve S 0
> 1500 vlan200 3
> =====
>
>
> If I changed "route_via_internal=yes" at
> etc/strongswan.d/charon/kernel-pfkey.conf then no route like 0.0.0.0/1 or
> 128.0.0.0/1 installed but network still fails
>
> The very same strongswan config works fine for many years on FreeBSD-11.
> FreeBSD-13 has many changes at network stack and strongswan changed too.
>
> Also I read https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255678
> and https://github.com/strongswan/strongswan/issues/910 and its looks
> like strongswan/FreeBSD integration issue.
>
>
> I'll appreciate any advice. Thanks!
>
> --
> CU,
> Victor Gamov
>
--
CU,
Victor Gamov
--0000000000004d45b50607adffed
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>After more investigation tunnel up and worked:</div><=
div><br></div><div>etc/strongswan.d/charon.conf:</div><div>=3D=3D=3D=3D=3D<=
/div><div>install_routes =3D no</div><div>=3D=3D=3D=3D=3D</div><div><br></d=
iv><div>This was disabled at first time but lost during configuration exper=
iments.<br></div><div>etc/ipsec.conf:</div><div>=3D=3D=3D=3D=3D</div><div>c=
onn pop4-to-pop12-routed</div><div>=C2=A0 installpolicy =3D no</div><div>=
=3D=3D=3D=3D=3D</div><div><br></div></div><br><div class=3D"gmail_quote"><d=
iv dir=3D"ltr" class=3D"gmail_attr">On Sat, 14 Oct 2023 at 13:25, Victor Ga=
mov <<a href=3D"mailto:vitspec@gmail.com">vitspec@gmail.com</a>> wrot=
e:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0=
.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"l=
tr"><div>Hi All</div><div><br></div><div>I have FreeBSD 13.2-STABLE stable/=
13-n255939-b9da47180fd6 GENERIC amd64 machine with strongswan-5.9.11_2 inst=
alled by pkg.</div><div><br></div><div>When routed ipsec is up all outgoing=
packets forwarded into ipsec-tunnel so networking is immediately fails.<br=
></div><div><br></div><div>FreeBSD config:</div><div>=3D=3D=3D=3D=3D</div><=
div>net.fibs=3D4<br>net.inet.ip.forwarding=3D1</div><div>=3D=3D=3D=3D=3D</d=
iv><div><br></div><div><br></div><div>ifconfig ipsec10121</div><div>=3D=3D=
=3D=3D=3D<br></div><div>ipsec10121: flags=3D8050<UP,POINTOPOINT,RUNNING,=
MULTICAST> metric 0 mtu 1400<br> description: PoP-12<br> tunnel inet 1.1=
.1.2 --> 2.2.2.2<br> inet 172.16.110.129 --> 172.16.110.130 netmask 0=
xfffffffc<br> groups: ipsec<br> reqid: 10121<br> nd6 options=3D29<PERFOR=
MNUD,IFDISABLED,AUTO_LINKLOCAL></div><div>=3D=3D=3D=3D=3D<br></div><div>=
<br></div><div><br></div><div>strongswan etc/ipsec.conf:</div><div>=3D=3D=
=3D=3D=3D</div><div>conn pop4-to-pop12-routed<br># =C2=A0also =3D tmpl_rout=
e_based<br>=C2=A0 left =3D 1.1.1.2<br>=C2=A0 right =3D 2.2.2.2<br>=C2=A0 le=
ftsubnet =3D <a href=3D"http://0.0.0.0/0" target=3D"_blank">0.0.0.0/0</a><b=
r>=C2=A0 rightsubnet =3D <a href=3D"http://0.0.0.0/0" target=3D"_blank">0.0=
.0.0/0</a><br>=C2=A0 reqid =3D 10121<br>=C2=A0 type =3D tunnel<br>=C2=A0 au=
thby =3D psk<br>=C2=A0 keyexchange =3D ikev2<br>=C2=A0 ike =3D aes256-sha25=
6-modp3072,aes256-sha256-modp3072<br>=C2=A0 esp =3D aes256-sha256-modp3072,=
aes256-sha256-modp3072<br>=C2=A0 ikelifetime =3D 28800<br>=C2=A0 mobike =3D=
no<br>=C2=A0 lifetime =3D 3600<br>=C2=A0 dpdaction =3D restart<br>=C2=A0 d=
pddelay =3D 30s<br>=C2=A0 auto =3D start</div><div>=3D=3D=3D=3D=3D</div><di=
v><br></div><div><br></div><div>strongswan etc/strongswan.d/charon/kernel-p=
fkey.conf:</div><div>=3D=3D=3D=3D=3D</div><div>kernel-pfkey {</div><div>=C2=
=A0 load =3D yes</div><div># route_via_internal =3D no<br>}</div><div>=3D=
=3D=3D=3D=3D<br></div><div><br></div><div><br></div><div>route -n monitor</=
div><div>=3D=3D=3D=3D=3D</div><div>got message of size 272 on Sat Oct 14 12=
:39:39 2023<br>RTM_GET: Report Metrics: len 272, pid: 49695, seq 1, errno 0=
, flags:<UP,GATEWAY,DONE,STATIC><br>locks: =C2=A0inits: <br>sockaddrs=
: <DST,GATEWAY,NETMASK,IFP,IFA><br>=C2=A00.0.0.0 1.1.1.1 0.0.0.0 vlan=
200:48.dc.2d.6.4f.f4 1.1.1.2<br><br>got message of size 200 on Sat Oct 14 1=
2:39:39 2023<br>RTM_GET: Report Metrics: len 200, pid: 49695, seq 2, errno =
0, flags:<UP,GATEWAY,DONE,STATIC><br>locks: =C2=A0inits: <br>sockaddr=
s: <DST,GATEWAY,NETMASK><br>=C2=A00.0.0.0=C2=A01.1.1.1 0.0.0.0<br><br=
>got message of size 256 on Sat Oct 14 12:39:39 2023<br>RTM_ADD: Add Route:=
len 256, pid: 49695, seq 3, errno 0, flags:<UP,GATEWAY,HOST,DONE,STATIC=
><br>locks: =C2=A0inits: <br>sockaddrs: <DST,GATEWAY,IFP,IFA><br>=
=C2=A02.2.2.2 1.1.1.1 vlan200:48.dc.2d.6.4f.f4 1.1.1.2<br><br>got message o=
f size 272 on Sat Oct 14 12:39:39 2023<br>RTM_ADD: Add Route: len 272, pid:=
49695, seq 5, errno 0, flags:<UP,DONE,STATIC><br>locks: =C2=A0inits:=
<br>sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA><br>=C2=A0128.0.0.0=C2=
=A01.1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2<br><br>got message of=
size 272 on Sat Oct 14 12:39:39 2023<br>RTM_ADD: Add Route: len 272, pid: =
49695, seq 4, errno 0, flags:<UP,DONE,STATIC><br>locks: =C2=A0inits: =
<br>sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA><br>=C2=A00.0.0.0=C2=A01.=
1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2<br></div><div>=3D=3D=3D=3D=
=3D</div><div><br></div><div><br></div><div>netstat -r -nW4:<br></div><div>=
=3D=3D=3D=3D=3D</div><div>Routing tables<br><br>Internet:<br>Destination =
=C2=A0 =C2=A0 =C2=A0 =C2=A0Gateway =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0Flags =C2=A0 Nhop# =C2=A0 =C2=A0Mtu =C2=A0 =C2=A0 =C2=A0Netif Expire<br>=
<a href=3D"http://0.0.0.0/1" target=3D"_blank">0.0.0.0/1</a> =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0195.34.58.166 =C2=A0 =C2=A0 =C2=A0US =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 12 =C2=A0 1500 =C2=A0 =C2=A0vlan200<br>default =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0195.34.58.166 =C2=A0 =C2=A0 =C2=A0UGS =C2=A0 =C2=A0=
=C2=A0 =C2=A0 6 =C2=A0 1500 =C2=A0 =C2=A0vlan200<br><a href=3D"http://10.4=
.102.128/31" target=3D"_blank">10.4.102.128/31</a> =C2=A0 =C2=A0link#8 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 U =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
8 =C2=A0 1500 =C2=A0 =C2=A0 vlan22<br>10.4.102.129 =C2=A0 =C2=A0 =C2=A0 li=
nk#8 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 UHS =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 7 =C2=A016384 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0<br><a href=3D"http://31.13=
1.95.64/27" target=3D"_blank">31.131.95.64/27</a> =C2=A0 =C2=A0127.0.0.1 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0U1B =C2=A0 =C2=A0 =C2=A0 =C2=A0 9 =C2=A01=
6384 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0<br>46.243.226.103 =C2=A0 =C2=A0 195.34.=
58.166 =C2=A0 =C2=A0 =C2=A0UGHS =C2=A0 =C2=A0 =C2=A0 10 =C2=A0 1500 =C2=A0 =
=C2=A0vlan200<br>127.0.0.1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0link#5 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 UHS =C2=A0 =C2=A0 =C2=A0 =C2=A0 1 =C2=A0=
16384 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0<br><a href=3D"http://128.0.0.0/1" targ=
et=3D"_blank">128.0.0.0/1</a> =C2=A0 =C2=A0 =C2=A0 =C2=A0195.34.58.166 =C2=
=A0 =C2=A0 =C2=A0US =C2=A0 =C2=A0 =C2=A0 =C2=A0 12 =C2=A0 1500 =C2=A0 =C2=
=A0vlan200<br><a href=3D"http://172.16.110.12/31" target=3D"_blank">172.16.=
110.12/31</a> =C2=A0 link#4 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 U =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 2 =C2=A0 1500 =C2=A0 =C2=A0 =C2=A0 ixl3<br>=
172.16.110.13 =C2=A0 =C2=A0 =C2=A0link#4 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 UHS =C2=A0 =C2=A0 =C2=A0 =C2=A0 3 =C2=A016384 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0lo0<br>172.16.110.129 =C2=A0 =C2=A0 link#11 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0UHS =C2=A0 =C2=A0 =C2=A0 =C2=A011 =C2=A016384 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0lo0<br><a href=3D"http://195.34.58.166/31" target=3D"_blan=
k">195.34.58.166/31</a> =C2=A0 link#7 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 U =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 4 =C2=A0 1500 =C2=A0 =C2=A0vlan=
200<br>195.34.58.167 =C2=A0 =C2=A0 =C2=A0link#7 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 UHS =C2=A0 =C2=A0 =C2=A0 =C2=A0 5 =C2=A016384 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0lo0</div><div>=3D=3D=3D=3D=3D</div><div><br></div><div><br></d=
iv><div>netstat -o -nW4<br></div><div>=3D=3D=3D=3D=3D</div><div>Nexthop dat=
a<br><br>Internet:<br>Idx =C2=A0 Type =C2=A0 =C2=A0 =C2=A0 =C2=A0 IFA =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Gateway =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Flags =C2=A0 =C2=A0 =C2=A0Use Mtu =C2=A0 =C2=A0=
=C2=A0 =C2=A0 Netif =C2=A0 =C2=A0 Addrif Refcnt Prepend<br>1 =C2=A0 =C2=A0=
=C2=A0 v4/resolve 127.0.0.1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0/resolve =
=C2=A0 =C2=A0 =C2=A0 =C2=A0HS =C2=A0 =C2=A0 =C2=A0 =C2=A0 1366 =C2=A016384 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0lo0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 2 <br>2 =C2=A0 =C2=A0 =C2=A0 v4/resolve 172.16.110.13 =C2=A0 =C2=A0 =
=C2=A0ixl3/resolve =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 0 =C2=A0 1500 =C2=A0 =C2=A0 =C2=A0 ixl3 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 2 <br>3 =C2=A0 =C2=A0 =C2=A0 v4/resolve 127.0.0=
.1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0/resolve =C2=A0 =C2=A0 =C2=A0 =C2=
=A0HS =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00 =C2=A016384 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0lo0 =C2=A0 =C2=A0 =C2=A0ixl3 =C2=A0 =C2=A0 2 <br>4 =C2=A0 =C2=
=A0 =C2=A0 v4/resolve 195.34.58.167 =C2=A0 =C2=A0 =C2=A0vlan200/resolve =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A051749 =C2=A0 1500 =C2=A0 =C2=
=A0vlan200 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 4 <br>5 =C2=A0 =
=C2=A0 =C2=A0 v4/resolve 127.0.0.1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0/re=
solve =C2=A0 =C2=A0 =C2=A0 =C2=A0HS =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A00 =C2=A016384 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0 =C2=A0 vlan200 =C2=A0 =C2=
=A0 2 <br>6 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0v4/gw 195.34.58.167 =
=C2=A0 =C2=A0 =C2=A0195.34.58.166 =C2=A0 =C2=A0 =C2=A0GS =C2=A0 =C2=A0 =C2=
=A0 =C2=A037902 =C2=A0 1500 =C2=A0 =C2=A0vlan200 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 2 <br>7 =C2=A0 =C2=A0 =C2=A0 v4/resolve 127.0.0.1 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0/resolve =C2=A0 =C2=A0 =C2=A0 =C2=A0HS=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00 =C2=A016384 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0lo0 =C2=A0 =C2=A0vlan22 =C2=A0 =C2=A0 2 <br>8 =C2=A0 =C2=A0 =C2=
=A0 v4/resolve 10.4.102.129 =C2=A0 =C2=A0 =C2=A0 vlan22/resolve =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 3 =C2=A0 1500 =C2=A0 =
=C2=A0 vlan22 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 2 <br>9 =C2=
=A0 =C2=A0 =C2=A0 v4/resolve 127.0.0.1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo=
0/resolve =C2=A0 =C2=A0 =C2=A0 =C2=A01B =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A00 =C2=A016384 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 2 <br>10 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 v4/gw =
195.34.58.167 =C2=A0 =C2=A0 =C2=A0195.34.58.166 =C2=A0 =C2=A0 =C2=A0GHS =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0 =C2=A0 1500 =C2=A0 =C2=A0vlan200 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 2 <br>11 =C2=A0 =C2=A0 =C2=A0v4/r=
esolve 127.0.0.1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0/resolve =C2=A0 =C2=
=A0 =C2=A0 =C2=A0HS =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00 =C2=A016384 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0lo0ipsec10121 =C2=A0 =C2=A0 2 <br>12 =C2=A0 =C2=
=A0 =C2=A0v4/resolve 195.34.58.167 =C2=A0 =C2=A0 =C2=A0vlan200/resolve =C2=
=A0 =C2=A0S =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0 =C2=A0 1500 =C2=A0 =
=C2=A0vlan200 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 3 <br></div>=
<div>=3D=3D=3D=3D=3D<br></div><div><br></div><div><br></div><div>If I chang=
ed "route_via_internal=3Dyes" at etc/strongswan.d/charon/kernel-=
pfkey.conf then no route like <a href=3D"http://0.0.0.0/1" target=3D"_blank=
">0.0.0.0/1</a> or <a href=3D"http://128.0.0.0/1" target=3D"_blank">128.0.0=
.0/1</a> installed but network still fails</div><div><br></div><div>The ver=
y same strongswan config works fine for many years on FreeBSD-11.=C2=A0=C2=
=A0 FreeBSD-13 has many changes at network stack and strongswan changed too=
.</div><div><br></div><div>Also I read=C2=A0 <a href=3D"https://bugs.freebs=
d.org/bugzilla/show_bug.cgi?id=3D255678" target=3D"_blank">https://bugs.fre=
ebsd.org/bugzilla/show_bug.cgi?id=3D255678</a>=C2=A0 and <a href=3D"https:/=
/github.com/strongswan/strongswan/issues/910" target=3D"_blank">https://git=
hub.com/strongswan/strongswan/issues/910</a> and its looks like strongswan/=
FreeBSD integration issue.</div><div><br></div><div><br></div><div>I'll=
appreciate any advice.=C2=A0 Thanks!</div><div><br></div><div><span class=
=3D"gmail_signature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gmail_s=
ignature">CU,<br>Victor Gamov</div></div></div>
</blockquote></div><br clear=3D"all"><br><span class=3D"gmail_signature_pre=
fix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature">CU,<br>Victor=
Gamov</div>
--0000000000004d45b50607adffed--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPOOyvkamPVf-M5uPrABQJSbaSD%2BtbM14C7vv9MJX4cD17tu8w>