From owner-freebsd-net@FreeBSD.ORG  Fri Feb  7 12:44:40 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id B82F6825
 for <freebsd-net@freebsd.org>; Fri,  7 Feb 2014 12:44:40 +0000 (UTC)
Received: from smtp.novso.com (smtp1.novso.com [IPv6:2a00:14e8:28:3::5])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 806371794
 for <freebsd-net@freebsd.org>; Fri,  7 Feb 2014 12:44:40 +0000 (UTC)
Message-ID: <1391777078.27201.2.camel@srv31.corp.novso.com>
Subject: Re: IPsec filtertunnel broken on FreeBSD 10
From: Nicolas DEFFAYET <nicolas-ml@deffayet.com>
To: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Date: Fri, 07 Feb 2014 12:44:38 +0000
In-Reply-To: <52F4C41B.3030101@yandex.ru>
References: <1391725273.22934.16.camel@fr-wks3.corp.novso.com>
 <52F4C41B.3030101@yandex.ru>
Organization: DEFFAYET.COM
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.4.4-3.noclutter 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@freebsd.org
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2014 12:44:40 -0000

On Fri, 2014-02-07 at 15:31 +0400, Andrey V. Elsukov wrote: 
> On 07.02.2014 02:21, Nicolas DEFFAYET wrote:

Hello Andrey,

> > The IPsec filtertunnel is broken on FreeBSD 10: incoming packets
> > decapsulated are not going to firewall and to the pseudo interface enc.
> > 
> > This issue affect 10.0-RELEASE and 10.0-STABLE.
> > 9.1-RELEASE and 9.2-RELEASE are not affected.
> > 
> > Of course the systctl show that filtertunnel is enabled:
> > net.inet.ipsec.filtertunnel=1
> > net.inet6.ipsec.filtertunnel=1
> 
> Can you show what values do you have in the
> sysctl net.enc ?

I use default value (value not tunned in boot/loader.conf &
etc/sysctl.conf) 

FreeBSD 9.1-RELEASE
net.enc.in.ipsec_bpf_mask: 1
net.enc.in.ipsec_filter_mask: 1
net.enc.out.ipsec_bpf_mask: 3
net.enc.out.ipsec_filter_mask: 1

FreeBSD 10.0-RELEASE
net.enc.in.ipsec_bpf_mask: 1
net.enc.in.ipsec_filter_mask: 1
net.enc.out.ipsec_bpf_mask: 3
net.enc.out.ipsec_filter_mask: 1

Many thanks for your help

-- 
Nicolas DEFFAYET