Re: IPSEC problems with pf

From: Andrey V. Elsukov <bu7cher_at_yandex.ru>
Date: Sat, 25 Sep 2021 16:06:55 +0300
25.09.2021 03:31, Eugene Grosbein пишет:
> I know three main reasons that may prevent firewall+IPSec from working as expected:
> 
> 1) for incoming packets: kernel could drop incoming packet withing ipsec code
> incrementing one of counters shown with "netstat -sp ipsec" command,
> so you should check it out first;
> 
> 2) for both outgoing and incoming packets there could be processing order problem:
> packets processed first by pfil(9) framework (so pf/ipfw have a chance to do NAT etc.)
> and only then sent to ipsec(4) to transform (in FreeBSD 11 at least), not vice versa.

AFAIK, pf does not send packets to IPsec processing after NAT. You need
to make translation after IPsec processing using the if_enc interface.

> 
> 3) also read if_enc(4) manual page to make familiar with net.enc.out.* and net.enc.in.* sysctl family,
> as it may affect, too. If you do not use enc(4) pseudo-interface, make sure you changed defaults to:
> 
> net.enc.in.ipsec_filter_mask=0
> net.enc.out.ipsec_filter_mask=0
Another important variable that needs an attention is
net.inet.ipsec.filtertunnel

-- 
WBR, Andrey V. Elsukov


Received on Sat Sep 25 2021 - 13:06:55 UTC

Original text of this message