Re: IPSEC problems with pf

Reply: Peter Jeremy : "Re: IPSEC problems with pf"
In reply to: Eugene Grosbein : "Re: IPSEC problems with pf"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Andrey V. Elsukov <bu7cher_at_yandex.ru>
Date: Sat, 25 Sep 2021 13:06:55 UTC

25.09.2021 03:31, Eugene Grosbein пишет:
> I know three main reasons that may prevent firewall+IPSec from working as expected:
> 
> 1) for incoming packets: kernel could drop incoming packet withing ipsec code
> incrementing one of counters shown with "netstat -sp ipsec" command,
> so you should check it out first;
> 
> 2) for both outgoing and incoming packets there could be processing order problem:
> packets processed first by pfil(9) framework (so pf/ipfw have a chance to do NAT etc.)
> and only then sent to ipsec(4) to transform (in FreeBSD 11 at least), not vice versa.

AFAIK, pf does not send packets to IPsec processing after NAT. You need
to make translation after IPsec processing using the if_enc interface.

> 
> 3) also read if_enc(4) manual page to make familiar with net.enc.out.* and net.enc.in.* sysctl family,
> as it may affect, too. If you do not use enc(4) pseudo-interface, make sure you changed defaults to:
> 
> net.enc.in.ipsec_filter_mask=0
> net.enc.out.ipsec_filter_mask=0
Another important variable that needs an attention is
net.inet.ipsec.filtertunnel

-- 
WBR, Andrey V. Elsukov