Date: Sat, 25 Sep 2021 16:06:55 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Eugene Grosbein <eugen@grosbein.net>, Peter Jeremy <peter@rulingia.com>, freebsd-net@freebsd.org Cc: "Alexander V. Chernikov" <melifaro@freebsd.org> Subject: Re: IPSEC problems with pf Message-ID: <88c23447-4733-80a2-cb59-f0720b4b836c@yandex.ru> In-Reply-To: <63369d6b-23f3-3d4e-4ff8-dd068c894564@grosbein.net> References: <YU5ZKsBQ73UJ71r2@server.rulingia.com> <63369d6b-23f3-3d4e-4ff8-dd068c894564@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --V0ztE45uJGVcruDR7YmDHwMvWDeTkV8AH Content-Type: multipart/mixed; boundary="SlsvOmUFeREmqktIoiWv2QCgH6FJhr4Zo"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Eugene Grosbein <eugen@grosbein.net>, Peter Jeremy <peter@rulingia.com>, freebsd-net@freebsd.org Cc: "Alexander V. Chernikov" <melifaro@freebsd.org> Message-ID: <88c23447-4733-80a2-cb59-f0720b4b836c@yandex.ru> Subject: Re: IPSEC problems with pf References: <YU5ZKsBQ73UJ71r2@server.rulingia.com> <63369d6b-23f3-3d4e-4ff8-dd068c894564@grosbein.net> In-Reply-To: <63369d6b-23f3-3d4e-4ff8-dd068c894564@grosbein.net> --SlsvOmUFeREmqktIoiWv2QCgH6FJhr4Zo Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable 25.09.2021 03:31, Eugene Grosbein =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > I know three main reasons that may prevent firewall+IPSec from working = as expected: >=20 > 1) for incoming packets: kernel could drop incoming packet withing ipse= c code > incrementing one of counters shown with "netstat -sp ipsec" command, > so you should check it out first; >=20 > 2) for both outgoing and incoming packets there could be processing ord= er problem: > packets processed first by pfil(9) framework (so pf/ipfw have a chance = to do NAT etc.) > and only then sent to ipsec(4) to transform (in FreeBSD 11 at least), n= ot vice versa. AFAIK, pf does not send packets to IPsec processing after NAT. You need to make translation after IPsec processing using the if_enc interface. >=20 > 3) also read if_enc(4) manual page to make familiar with net.enc.out.* = and net.enc.in.* sysctl family, > as it may affect, too. If you do not use enc(4) pseudo-interface, make = sure you changed defaults to: >=20 > net.enc.in.ipsec_filter_mask=3D0 > net.enc.out.ipsec_filter_mask=3D0 Another important variable that needs an attention is net.inet.ipsec.filtertunnel --=20 WBR, Andrey V. Elsukov --SlsvOmUFeREmqktIoiWv2QCgH6FJhr4Zo-- --V0ztE45uJGVcruDR7YmDHwMvWDeTkV8AH Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsB5BAABCAAjFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAmFPHvAFAwAAAAAACgkQAcXqBBDIoXoX Agf8DgojYjf9yuGe8HjGByBJAJEUh3ZPeeIg2tGJherPXIgfWQIJGU3ksvRAqo74U58TPTiLTAzp eel/LAX930hBG42PX7aJxsiSPjzbpXvDadrK7FJUsf1q4QmwPSaFzWSUo0xtq3GDCIGUDMAiwk0i MzPBaj3kXjU5j3LrnRGFv5VO+9/4C7IxWeaqdEC4odaktn1VPJgpoA00j25PzjSsSfoY/OaWuGZK 7RgEE68c5o7vchBq8zMJwLhQsocrsgefxn+LmQGAa+W1WPBGJpX33ac0/byFcGSVZGn0RCxDCahN 1O1E6xigdEubbxoLPO6FB8X/CEyesSbj1ZPVoAsW1Q== =uDp2 -----END PGP SIGNATURE----- --V0ztE45uJGVcruDR7YmDHwMvWDeTkV8AH--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?88c23447-4733-80a2-cb59-f0720b4b836c>