From nobody Sat Oct 14 14:29:03 2023 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S75NX0y0Wz4wqc4 for ; Sat, 14 Oct 2023 14:29:16 +0000 (UTC) (envelope-from vitspec@gmail.com) Received: from mail-vs1-xe34.google.com (mail-vs1-xe34.google.com [IPv6:2607:f8b0:4864:20::e34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S75NW3mdJz3bqh for ; Sat, 14 Oct 2023 14:29:15 +0000 (UTC) (envelope-from vitspec@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=bO3B8R6B; spf=pass (mx1.freebsd.org: domain of vitspec@gmail.com designates 2607:f8b0:4864:20::e34 as permitted sender) smtp.mailfrom=vitspec@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-vs1-xe34.google.com with SMTP id ada2fe7eead31-457c25de456so736251137.2 for ; Sat, 14 Oct 2023 07:29:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697293754; x=1697898554; darn=freebsd.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=ktZKeJ2Q6KEjhl16TdCuIvcGq6ypg19SzI8/vWGLYMI=; b=bO3B8R6B7i00OUvB8zqi3oh87KW6sIKraQf0Ax41MAzcFBidTkZSEHIgHtweB0oc3U zqDM6IX9gTKvuTjtmyK7+CntRm2zyqFB1IhXuM0K0jHMfWuj8VCmrqj31wSOZE0WAvZN GEOyaO0fo5fuWtPKU3VzXeSiL6YNXZ69NJNhUQn1zl+2Jy3oSy8qMRiBZ6PTJ/Q9SsOq DpdNp0M8CVmkuphObSCc5YkJ/J6oBfoy4VtMwM2iLO14DfFCqHWkzSC1eAU2mviNaKxd Tu1w1e12ukdxrpODdeRO/KOq1aeO/C39LWXZQJuMYeulesqr+5iuVVOsxz8aPrZhKNpT yffA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697293754; x=1697898554; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ktZKeJ2Q6KEjhl16TdCuIvcGq6ypg19SzI8/vWGLYMI=; b=JYAyfCissgekMFhpmk8kdy2dZOn+H+KxUsTIYy6r2XE0XwH/AV77CV1s2iFbdejR2E RbeISs6A5Lp7Co3s+qbGDVSBOmASlqa3SQY61HXImoq+XWJpllOrBaSXzhQwk4t1gEhU iN668Dz+j0Z4INZyW73P9NnLtF9gkA8Xvx+2ySS4KAadL/PzN/ndocYAh4UybbmsrViq WBm/G9lwjZ+Iar+3BhbL63fSEu/WcLz/8gVPySXK+NFyR1aFmH6ME+JzHk8IcsDT3xSk 0Gm0+SqUJASc4YqhUqQvBJC0DyOW4bP+b8fB+F5SW6dtAzDEla1dJwfZYuE1VM4/91MW XaiA== X-Gm-Message-State: AOJu0YzHICiRkwWrduoWbcIbWPGyDCNHSSCjethY9L+Uqq5pbghV6mmg ir5V9xkVIxRd9Tj3CbYK5EqJT0Axf6k/DPXOHonvFZtSmRU= X-Google-Smtp-Source: AGHT+IGVfx2hljvUotibqyTS54M7pphDT+g9KUQ3TL2N7BASTreZICcuZ+9gDi0wp+r5obZQd9t6qW3PKojBv7HQWSw= X-Received: by 2002:a67:c186:0:b0:457:c052:1957 with SMTP id h6-20020a67c186000000b00457c0521957mr4203512vsj.22.1697293754252; Sat, 14 Oct 2023 07:29:14 -0700 (PDT) List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Victor Gamov Date: Sat, 14 Oct 2023 17:29:03 +0300 Message-ID: Subject: Re: Packet forwarding stooped when Strongswan install IPsec policy To: freebsd-net Content-Type: multipart/alternative; boundary="0000000000004d45b50607adffed" X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.93 / 15.00]; HTTP_TO_IP(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.93)[-0.926]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; RCPT_COUNT_ONE(0.00)[1]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e34:from]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DKIM_TRACE(0.00)[gmail.com:+]; TO_DN_ALL(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MLMMJ_DEST(0.00)[freebsd-net@freebsd.org] X-Rspamd-Queue-Id: 4S75NW3mdJz3bqh --0000000000004d45b50607adffed Content-Type: text/plain; charset="UTF-8" After more investigation tunnel up and worked: etc/strongswan.d/charon.conf: ===== install_routes = no ===== This was disabled at first time but lost during configuration experiments. etc/ipsec.conf: ===== conn pop4-to-pop12-routed installpolicy = no ===== On Sat, 14 Oct 2023 at 13:25, Victor Gamov wrote: > Hi All > > I have FreeBSD 13.2-STABLE stable/13-n255939-b9da47180fd6 GENERIC amd64 > machine with strongswan-5.9.11_2 installed by pkg. > > When routed ipsec is up all outgoing packets forwarded into ipsec-tunnel > so networking is immediately fails. > > FreeBSD config: > ===== > net.fibs=4 > net.inet.ip.forwarding=1 > ===== > > > ifconfig ipsec10121 > ===== > ipsec10121: flags=8050 metric 0 mtu 1400 > description: PoP-12 > tunnel inet 1.1.1.2 --> 2.2.2.2 > inet 172.16.110.129 --> 172.16.110.130 netmask 0xfffffffc > groups: ipsec > reqid: 10121 > nd6 options=29 > ===== > > > strongswan etc/ipsec.conf: > ===== > conn pop4-to-pop12-routed > # also = tmpl_route_based > left = 1.1.1.2 > right = 2.2.2.2 > leftsubnet = 0.0.0.0/0 > rightsubnet = 0.0.0.0/0 > reqid = 10121 > type = tunnel > authby = psk > keyexchange = ikev2 > ike = aes256-sha256-modp3072,aes256-sha256-modp3072 > esp = aes256-sha256-modp3072,aes256-sha256-modp3072 > ikelifetime = 28800 > mobike = no > lifetime = 3600 > dpdaction = restart > dpddelay = 30s > auto = start > ===== > > > strongswan etc/strongswan.d/charon/kernel-pfkey.conf: > ===== > kernel-pfkey { > load = yes > # route_via_internal = no > } > ===== > > > route -n monitor > ===== > got message of size 272 on Sat Oct 14 12:39:39 2023 > RTM_GET: Report Metrics: len 272, pid: 49695, seq 1, errno 0, > flags: > locks: inits: > sockaddrs: > 0.0.0.0 1.1.1.1 0.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2 > > got message of size 200 on Sat Oct 14 12:39:39 2023 > RTM_GET: Report Metrics: len 200, pid: 49695, seq 2, errno 0, > flags: > locks: inits: > sockaddrs: > 0.0.0.0 1.1.1.1 0.0.0.0 > > got message of size 256 on Sat Oct 14 12:39:39 2023 > RTM_ADD: Add Route: len 256, pid: 49695, seq 3, errno 0, > flags: > locks: inits: > sockaddrs: > 2.2.2.2 1.1.1.1 vlan200:48.dc.2d.6.4f.f4 1.1.1.2 > > got message of size 272 on Sat Oct 14 12:39:39 2023 > RTM_ADD: Add Route: len 272, pid: 49695, seq 5, errno 0, > flags: > locks: inits: > sockaddrs: > 128.0.0.0 1.1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2 > > got message of size 272 on Sat Oct 14 12:39:39 2023 > RTM_ADD: Add Route: len 272, pid: 49695, seq 4, errno 0, > flags: > locks: inits: > sockaddrs: > 0.0.0.0 1.1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2 > ===== > > > netstat -r -nW4: > ===== > Routing tables > > Internet: > Destination Gateway Flags Nhop# Mtu Netif > Expire > 0.0.0.0/1 195.34.58.166 US 12 1500 vlan200 > default 195.34.58.166 UGS 6 1500 vlan200 > 10.4.102.128/31 link#8 U 8 1500 vlan22 > 10.4.102.129 link#8 UHS 7 16384 lo0 > 31.131.95.64/27 127.0.0.1 U1B 9 16384 lo0 > 46.243.226.103 195.34.58.166 UGHS 10 1500 vlan200 > 127.0.0.1 link#5 UHS 1 16384 lo0 > 128.0.0.0/1 195.34.58.166 US 12 1500 vlan200 > 172.16.110.12/31 link#4 U 2 1500 ixl3 > 172.16.110.13 link#4 UHS 3 16384 lo0 > 172.16.110.129 link#11 UHS 11 16384 lo0 > 195.34.58.166/31 link#7 U 4 1500 vlan200 > 195.34.58.167 link#7 UHS 5 16384 lo0 > ===== > > > netstat -o -nW4 > ===== > Nexthop data > > Internet: > Idx Type IFA Gateway Flags Use > Mtu Netif Addrif Refcnt Prepend > 1 v4/resolve 127.0.0.1 lo0/resolve HS 1366 > 16384 lo0 2 > 2 v4/resolve 172.16.110.13 ixl3/resolve 0 > 1500 ixl3 2 > 3 v4/resolve 127.0.0.1 lo0/resolve HS 0 > 16384 lo0 ixl3 2 > 4 v4/resolve 195.34.58.167 vlan200/resolve 51749 > 1500 vlan200 4 > 5 v4/resolve 127.0.0.1 lo0/resolve HS 0 > 16384 lo0 vlan200 2 > 6 v4/gw 195.34.58.167 195.34.58.166 GS 37902 > 1500 vlan200 2 > 7 v4/resolve 127.0.0.1 lo0/resolve HS 0 > 16384 lo0 vlan22 2 > 8 v4/resolve 10.4.102.129 vlan22/resolve 3 > 1500 vlan22 2 > 9 v4/resolve 127.0.0.1 lo0/resolve 1B 0 > 16384 lo0 2 > 10 v4/gw 195.34.58.167 195.34.58.166 GHS 0 > 1500 vlan200 2 > 11 v4/resolve 127.0.0.1 lo0/resolve HS 0 > 16384 lo0ipsec10121 2 > 12 v4/resolve 195.34.58.167 vlan200/resolve S 0 > 1500 vlan200 3 > ===== > > > If I changed "route_via_internal=yes" at > etc/strongswan.d/charon/kernel-pfkey.conf then no route like 0.0.0.0/1 or > 128.0.0.0/1 installed but network still fails > > The very same strongswan config works fine for many years on FreeBSD-11. > FreeBSD-13 has many changes at network stack and strongswan changed too. > > Also I read https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255678 > and https://github.com/strongswan/strongswan/issues/910 and its looks > like strongswan/FreeBSD integration issue. > > > I'll appreciate any advice. Thanks! > > -- > CU, > Victor Gamov > -- CU, Victor Gamov --0000000000004d45b50607adffed Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
After more investigation tunnel up and worked:
<= div>
etc/strongswan.d/charon.conf:
=3D=3D=3D=3D=3D<= /div>
install_routes =3D no
=3D=3D=3D=3D=3D

This was disabled at first time but lost during configuration exper= iments.
etc/ipsec.conf:
=3D=3D=3D=3D=3D
c= onn pop4-to-pop12-routed
=C2=A0 installpolicy =3D no
= =3D=3D=3D=3D=3D


On Sat, 14 Oct 2023 at 13:25, Victor Ga= mov <vitspec@gmail.com> wrot= e:
Hi All

I have FreeBSD 13.2-STABLE stable/= 13-n255939-b9da47180fd6 GENERIC amd64 machine with strongswan-5.9.11_2 inst= alled by pkg.

When routed ipsec is up all outgoing= packets forwarded into ipsec-tunnel so networking is immediately fails.

FreeBSD config:
=3D=3D=3D=3D=3D
<= div>net.fibs=3D4
net.inet.ip.forwarding=3D1
=3D=3D=3D=3D=3D


ifconfig ipsec10121
=3D=3D= =3D=3D=3D
ipsec10121: flags=3D8050<UP,POINTOPOINT,RUNNING,= MULTICAST> metric 0 mtu 1400
description: PoP-12
tunnel inet 1.1= .1.2 --> 2.2.2.2
inet 172.16.110.129 --> 172.16.110.130 netmask 0= xfffffffc
groups: ipsec
reqid: 10121
nd6 options=3D29<PERFOR= MNUD,IFDISABLED,AUTO_LINKLOCAL>
=3D=3D=3D=3D=3D
=

strongswan etc/ipsec.conf:
=3D=3D= =3D=3D=3D
conn pop4-to-pop12-routed
# =C2=A0also =3D tmpl_rout= e_based
=C2=A0 left =3D 1.1.1.2
=C2=A0 right =3D 2.2.2.2
=C2=A0 le= ftsubnet =3D 0.0.0.0/0=C2=A0 rightsubnet =3D 0.0= .0.0/0
=C2=A0 reqid =3D 10121
=C2=A0 type =3D tunnel
=C2=A0 au= thby =3D psk
=C2=A0 keyexchange =3D ikev2
=C2=A0 ike =3D aes256-sha25= 6-modp3072,aes256-sha256-modp3072
=C2=A0 esp =3D aes256-sha256-modp3072,= aes256-sha256-modp3072
=C2=A0 ikelifetime =3D 28800
=C2=A0 mobike =3D= no
=C2=A0 lifetime =3D 3600
=C2=A0 dpdaction =3D restart
=C2=A0 d= pddelay =3D 30s
=C2=A0 auto =3D start
=3D=3D=3D=3D=3D


strongswan etc/strongswan.d/charon/kernel-p= fkey.conf:
=3D=3D=3D=3D=3D
kernel-pfkey {
=C2= =A0 load =3D yes
# route_via_internal =3D no
}
=3D= =3D=3D=3D=3D


route -n monitor
=3D=3D=3D=3D=3D
got message of size 272 on Sat Oct 14 12= :39:39 2023
RTM_GET: Report Metrics: len 272, pid: 49695, seq 1, errno 0= , flags:<UP,GATEWAY,DONE,STATIC>
locks: =C2=A0inits:
sockaddrs= : <DST,GATEWAY,NETMASK,IFP,IFA>
=C2=A00.0.0.0 1.1.1.1 0.0.0.0 vlan= 200:48.dc.2d.6.4f.f4 1.1.1.2

got message of size 200 on Sat Oct 14 1= 2:39:39 2023
RTM_GET: Report Metrics: len 200, pid: 49695, seq 2, errno = 0, flags:<UP,GATEWAY,DONE,STATIC>
locks: =C2=A0inits:
sockaddr= s: <DST,GATEWAY,NETMASK>
=C2=A00.0.0.0=C2=A01.1.1.1 0.0.0.0
got message of size 256 on Sat Oct 14 12:39:39 2023
RTM_ADD: Add Route:= len 256, pid: 49695, seq 3, errno 0, flags:<UP,GATEWAY,HOST,DONE,STATIC= >
locks: =C2=A0inits:
sockaddrs: <DST,GATEWAY,IFP,IFA>
= =C2=A02.2.2.2 1.1.1.1 vlan200:48.dc.2d.6.4f.f4 1.1.1.2

got message o= f size 272 on Sat Oct 14 12:39:39 2023
RTM_ADD: Add Route: len 272, pid:= 49695, seq 5, errno 0, flags:<UP,DONE,STATIC>
locks: =C2=A0inits:=
sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
=C2=A0128.0.0.0=C2= =A01.1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2

got message of= size 272 on Sat Oct 14 12:39:39 2023
RTM_ADD: Add Route: len 272, pid: = 49695, seq 4, errno 0, flags:<UP,DONE,STATIC>
locks: =C2=A0inits: =
sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
=C2=A00.0.0.0=C2=A01.= 1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
=3D=3D=3D=3D= =3D


netstat -r -nW4:
= =3D=3D=3D=3D=3D
Routing tables

Internet:
Destination = =C2=A0 =C2=A0 =C2=A0 =C2=A0Gateway =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0Flags =C2=A0 Nhop# =C2=A0 =C2=A0Mtu =C2=A0 =C2=A0 =C2=A0Netif Expire
= 0.0.0.0/1 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0195.34.58.166 =C2=A0 =C2=A0 =C2=A0US =C2=A0 =C2=A0 =C2= =A0 =C2=A0 12 =C2=A0 1500 =C2=A0 =C2=A0vlan200
default =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0195.34.58.166 =C2=A0 =C2=A0 =C2=A0UGS =C2=A0 =C2=A0= =C2=A0 =C2=A0 6 =C2=A0 1500 =C2=A0 =C2=A0vlan200
10.4.102.128/31 =C2=A0 =C2=A0link#8 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 U =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= 8 =C2=A0 1500 =C2=A0 =C2=A0 vlan22
10.4.102.129 =C2=A0 =C2=A0 =C2=A0 li= nk#8 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 UHS =C2=A0 =C2=A0 =C2=A0 =C2= =A0 7 =C2=A016384 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0
31.131.95.64/27 =C2=A0 =C2=A0127.0.0.1 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0U1B =C2=A0 =C2=A0 =C2=A0 =C2=A0 9 =C2=A01= 6384 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0
46.243.226.103 =C2=A0 =C2=A0 195.34.= 58.166 =C2=A0 =C2=A0 =C2=A0UGHS =C2=A0 =C2=A0 =C2=A0 10 =C2=A0 1500 =C2=A0 = =C2=A0vlan200
127.0.0.1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0link#5 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 UHS =C2=A0 =C2=A0 =C2=A0 =C2=A0 1 =C2=A0= 16384 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0
128.0.0.0/1 =C2=A0 =C2=A0 =C2=A0 =C2=A0195.34.58.166 =C2= =A0 =C2=A0 =C2=A0US =C2=A0 =C2=A0 =C2=A0 =C2=A0 12 =C2=A0 1500 =C2=A0 =C2= =A0vlan200
172.16.= 110.12/31 =C2=A0 link#4 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 U =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 2 =C2=A0 1500 =C2=A0 =C2=A0 =C2=A0 ixl3
= 172.16.110.13 =C2=A0 =C2=A0 =C2=A0link#4 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 UHS =C2=A0 =C2=A0 =C2=A0 =C2=A0 3 =C2=A016384 =C2=A0 =C2=A0 =C2=A0 = =C2=A0lo0
172.16.110.129 =C2=A0 =C2=A0 link#11 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0UHS =C2=A0 =C2=A0 =C2=A0 =C2=A011 =C2=A016384 =C2=A0 =C2= =A0 =C2=A0 =C2=A0lo0
195.34.58.166/31 =C2=A0 link#7 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 U =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 4 =C2=A0 1500 =C2=A0 =C2=A0vlan= 200
195.34.58.167 =C2=A0 =C2=A0 =C2=A0link#7 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 UHS =C2=A0 =C2=A0 =C2=A0 =C2=A0 5 =C2=A016384 =C2=A0 =C2=A0 = =C2=A0 =C2=A0lo0
=3D=3D=3D=3D=3D


netstat -o -nW4
=3D=3D=3D=3D=3D
Nexthop dat= a

Internet:
Idx =C2=A0 Type =C2=A0 =C2=A0 =C2=A0 =C2=A0 IFA =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Gateway =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 Flags =C2=A0 =C2=A0 =C2=A0Use Mtu =C2=A0 =C2=A0= =C2=A0 =C2=A0 Netif =C2=A0 =C2=A0 Addrif Refcnt Prepend
1 =C2=A0 =C2=A0= =C2=A0 v4/resolve 127.0.0.1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0/resolve = =C2=A0 =C2=A0 =C2=A0 =C2=A0HS =C2=A0 =C2=A0 =C2=A0 =C2=A0 1366 =C2=A016384 = =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 2
2 =C2=A0 =C2=A0 =C2=A0 v4/resolve 172.16.110.13 =C2=A0 =C2=A0 = =C2=A0ixl3/resolve =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 0 =C2=A0 1500 =C2=A0 =C2=A0 =C2=A0 ixl3 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 2
3 =C2=A0 =C2=A0 =C2=A0 v4/resolve 127.0.0= .1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0/resolve =C2=A0 =C2=A0 =C2=A0 =C2= =A0HS =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00 =C2=A016384 =C2=A0 =C2=A0 = =C2=A0 =C2=A0lo0 =C2=A0 =C2=A0 =C2=A0ixl3 =C2=A0 =C2=A0 2
4 =C2=A0 =C2= =A0 =C2=A0 v4/resolve 195.34.58.167 =C2=A0 =C2=A0 =C2=A0vlan200/resolve =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A051749 =C2=A0 1500 =C2=A0 =C2= =A0vlan200 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 4
5 =C2=A0 = =C2=A0 =C2=A0 v4/resolve 127.0.0.1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0/re= solve =C2=A0 =C2=A0 =C2=A0 =C2=A0HS =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A00 =C2=A016384 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0 =C2=A0 vlan200 =C2=A0 =C2= =A0 2
6 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0v4/gw 195.34.58.167 = =C2=A0 =C2=A0 =C2=A0195.34.58.166 =C2=A0 =C2=A0 =C2=A0GS =C2=A0 =C2=A0 =C2= =A0 =C2=A037902 =C2=A0 1500 =C2=A0 =C2=A0vlan200 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 2
7 =C2=A0 =C2=A0 =C2=A0 v4/resolve 127.0.0.1 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0/resolve =C2=A0 =C2=A0 =C2=A0 =C2=A0HS= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00 =C2=A016384 =C2=A0 =C2=A0 =C2= =A0 =C2=A0lo0 =C2=A0 =C2=A0vlan22 =C2=A0 =C2=A0 2
8 =C2=A0 =C2=A0 =C2= =A0 v4/resolve 10.4.102.129 =C2=A0 =C2=A0 =C2=A0 vlan22/resolve =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 3 =C2=A0 1500 =C2=A0 = =C2=A0 vlan22 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 2
9 =C2= =A0 =C2=A0 =C2=A0 v4/resolve 127.0.0.1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo= 0/resolve =C2=A0 =C2=A0 =C2=A0 =C2=A01B =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A00 =C2=A016384 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 2
10 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 v4/gw = 195.34.58.167 =C2=A0 =C2=A0 =C2=A0195.34.58.166 =C2=A0 =C2=A0 =C2=A0GHS =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0 =C2=A0 1500 =C2=A0 =C2=A0vlan200 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 2
11 =C2=A0 =C2=A0 =C2=A0v4/r= esolve 127.0.0.1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0/resolve =C2=A0 =C2= =A0 =C2=A0 =C2=A0HS =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00 =C2=A016384 = =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0ipsec10121 =C2=A0 =C2=A0 2
12 =C2=A0 =C2= =A0 =C2=A0v4/resolve 195.34.58.167 =C2=A0 =C2=A0 =C2=A0vlan200/resolve =C2= =A0 =C2=A0S =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0 =C2=A0 1500 =C2=A0 = =C2=A0vlan200 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 3
=
=3D=3D=3D=3D=3D


If I chang= ed "route_via_internal=3Dyes" at etc/strongswan.d/charon/kernel-= pfkey.conf then no route like 0.0.0.0/1 or 128.0.0= .0/1 installed but network still fails

The ver= y same strongswan config works fine for many years on FreeBSD-11.=C2=A0=C2= =A0 FreeBSD-13 has many changes at network stack and strongswan changed too= .

Also I read=C2=A0 https://bugs.fre= ebsd.org/bugzilla/show_bug.cgi?id=3D255678=C2=A0 and https://git= hub.com/strongswan/strongswan/issues/910 and its looks like strongswan/= FreeBSD integration issue.


I'll= appreciate any advice.=C2=A0 Thanks!

--
CU,
Victor Gamov


--
CU,
Victor= Gamov
--0000000000004d45b50607adffed--