From owner-freebsd-net@freebsd.org Mon May 30 07:38:24 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9C7A4B54D0C for ; Mon, 30 May 2016 07:38:24 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3835B169D for ; Mon, 30 May 2016 07:38:23 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221]) by hz.grosbein.net (8.14.9/8.14.9) with ESMTP id u4U7R2Zo014595 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 30 May 2016 09:27:03 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: patfbsd@davenulle.org Received: from [10.58.0.10] (dadvw [10.58.0.10]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id u4U7QwPf026308 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 30 May 2016 14:26:58 +0700 (KRAT) (envelope-from eugen@grosbein.net) Subject: Re: net.inet.ip.fastforwarding and ipsec ? To: Patrick Lamaiziere , freebsd-net@freebsd.org References: <20160530092119.50b799bf@mr185083> From: Eugene Grosbein Message-ID: <574BEB3E.8080008@grosbein.net> Date: Mon, 30 May 2016 14:26:54 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <20160530092119.50b799bf@mr185083> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM autolearn=no version=3.3.2 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on hz.grosbein.net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 May 2016 07:38:24 -0000 30.05.2016 14:21, Patrick Lamaiziere пишет: > Hello, > > Documentation states that setting net.inet.ip.fastforwarding on a > router breaks ipsec. But it's not clear to me "where" ipsec is broken. > > Is it ipsec broken to (or from) the router, but ipsec between differents > hosts will work as expected. > > Or is it broken for all the ipsec traffic passing through the > router ? > > Thanks regards, Fastforwarded traffic is passed without any IPSEC processing, so it gets no encryption/decryption. Afaik, sysctl net.inet.ip.fastforwarding was removed from recent FreeBSD code recently and traffic that can be fastforwarded is fastforwarded automagically and traffic that cannot (f.e. IPSEC traffic) goes through full processing. So, the problem you mention should be eliminated.