Re: IPSEC problems with pf

From: Eugene Grosbein <eugen_at_grosbein.net>
Date: Sat, 25 Sep 2021 00:31:11 UTC
CC'ing more knowledgeable developers.

25.09.2021 6:03, Peter Jeremy wrote:

> I don't understand:
> a) Why outgoing ICMP packets from firewall to VPS aren't going through
>    the IPSEC transport.
> b) Why firewall is ignoring incoming IPSEC esp packets.
> 
> Is anyone able to help?

I know three main reasons that may prevent firewall+IPSec from working as expected:

1) for incoming packets: kernel could drop incoming packet withing ipsec code
incrementing one of counters shown with "netstat -sp ipsec" command,
so you should check it out first;

2) for both outgoing and incoming packets there could be processing order problem:
packets processed first by pfil(9) framework (so pf/ipfw have a chance to do NAT etc.)
and only then sent to ipsec(4) to transform (in FreeBSD 11 at least), not vice versa.

3) also read if_enc(4) manual page to make familiar with net.enc.out.* and net.enc.in.* sysctl family,
as it may affect, too. If you do not use enc(4) pseudo-interface, make sure you changed defaults to:

net.enc.in.ipsec_filter_mask=0
net.enc.out.ipsec_filter_mask=0