Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 02 Mar 2021 13:36:13 +0000
From:      bugzilla-noreply@freebsd.org
To:        net@FreeBSD.org
Subject:   [Bug 248474] if_ipsec: NAT broken on IPsec/VTI
Message-ID:  <bug-248474-7501-5G78EvWDnC@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-248474-7501@https.bugs.freebsd.org/bugzilla/>
References:  <bug-248474-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D248474

--- Comment #39 from jimp@netgate.com ---
(In reply to Kevin Ong from comment #33)

You're missing a couple sysctl OIDs.

For the default enc0 filtering mode, use the following sysctl values:

net.inet.ipsec.filtertunnel   =3D 0x0000
net.inet6.ipsec6.filtertunnel =3D 0x0000
net.enc.out.ipsec_bpf_mask    =3D 0x0001
net.enc.out.ipsec_filter_mask =3D 0x0001
net.enc.in.ipsec_bpf_mask     =3D 0x0002
net.enc.in.ipsec_filter_mask  =3D 0x0002

For if_ipsec filtering:

net.inet.ipsec.filtertunnel   =3D 0x0001
net.inet6.ipsec6.filtertunnel =3D 0x0001
net.enc.out.ipsec_bpf_mask    =3D 0x0000
net.enc.out.ipsec_filter_mask =3D 0x0000
net.enc.in.ipsec_bpf_mask     =3D 0x0000
net.enc.in.ipsec_filter_mask  =3D 0x0000

(In reply to jeremy.mordkoff from comment #35)

Since the sysctl oids mentioned in this thread control whether you filter o=
nly
on *either* enc0 or the if_ipsec interfaces and not both at once, depending=
 on
the sysctl values, you need to setup rules on the if_ipsec interfaces to let
the VTI traffic pass. At the moment, pfSense software doesn't have a way to=
 let
you do that. There is a patch on https://redmine.pfsense.org/issues/11395 w=
hich
lets you choose to either filter on enc0 (for tunnel mode + basic VTI traff=
ic)
or filter on if_ipsec (full VTI filtering capabilities, including NAT, but
drops all tunnel mode traffic). The VTI filtering mode exposes firewall rule
tabs for assigned VTI interfaces which will allow you to do what you want.

For info on how to use that or other issues specific to pfSense software you
should post on the Netgate forum for assistance.

I'd still prefer there be a way to do both at once, but at least having a
choice in the behavior is better than it being completely broken.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-248474-7501-5G78EvWDnC>