Re: IPSEC problems with pf
- Reply: Andrey V. Elsukov: "Re: IPSEC problems with pf"
- In reply to: Peter Jeremy : "IPSEC problems with pf"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 25 Sep 2021 00:31:11 UTC
CC'ing more knowledgeable developers. 25.09.2021 6:03, Peter Jeremy wrote: > I don't understand: > a) Why outgoing ICMP packets from firewall to VPS aren't going through > the IPSEC transport. > b) Why firewall is ignoring incoming IPSEC esp packets. > > Is anyone able to help? I know three main reasons that may prevent firewall+IPSec from working as expected: 1) for incoming packets: kernel could drop incoming packet withing ipsec code incrementing one of counters shown with "netstat -sp ipsec" command, so you should check it out first; 2) for both outgoing and incoming packets there could be processing order problem: packets processed first by pfil(9) framework (so pf/ipfw have a chance to do NAT etc.) and only then sent to ipsec(4) to transform (in FreeBSD 11 at least), not vice versa. 3) also read if_enc(4) manual page to make familiar with net.enc.out.* and net.enc.in.* sysctl family, as it may affect, too. If you do not use enc(4) pseudo-interface, make sure you changed defaults to: net.enc.in.ipsec_filter_mask=0 net.enc.out.ipsec_filter_mask=0