DHCP Server over IPsec (may be IPsec and raw sockets issue)

From: Özkan KIRIK <ozkan.kirik_at_gmail.com>
Date: Mon, 28 Feb 2022 17:16:25 UTC

I'm running FreeBSD stable/12. I'm running kea-dhcp server and strongswan.
DHCP Relay packets are received over IPsec, but kea-dhcp couldn't
receive packets while in "raw" socket mode. When the kea-dhcp is
configured to "udp" sockets, DHCP Relay packets can be received. As
you know, when dhcp server is configured to use UDP sockets, it can
not receive dhcp bootp broadcasts on same local network.
Both IPsec VTI mode and IPsec legacy mode behaves same way. I tried to
change net.inet.ipsec.filtertunnel but didnt work.

Also, I tried to work dhcp-relay and IPsec together, isc-dhcrelay
daemon is forwarding requests but cannot read the received response. I
think that the problem is same.

As a workaround, I moved the kea-dhcp to a vnet jail that connected
with an epair. IPsec is left on the parent system. With this solution,
it works. But it's ugly solution.

Is there any way to work IPsec and "raw" sockets together?

Thank you.