NAT before IPSEC - reply packets stuck at enc0
    Muenz, Michael 
    m.muenz at spam-fetish.org
       
    Fri Jul 21 11:21:26 UTC 2017
    
    
  
Am 21.07.2017 um 13:08 schrieb Andrey V. Elsukov:
> On 21.07.2017 13:59, Muenz, Michael wrote:
>> Am 19.07.2017 um 15:35 schrieb Andrey V. Elsukov:
>>> Check what you will see if you set net.enc.in.ipsec_bpf_mask=3.
>>> You should see the reply two times, the second one should be with
>>> translated address.
>>>
>> Googling around with "nat before ipsec" and freebsd shows many topics
>> like this.
>> It seems with 11.0 release there were some significant changes to enc
>> which made this impossible.
> The only significant change to enc(4) was making it loadable. From other
> side it still work as before. Another problem is PF-specific, PF does
> if_output() after translation by self, and there is no chance for IPsec
> to finish encryption. Third problem mentioned here (deadlock in pf) is
> also PF-specific, and I'm not sure that it worked well before.
>
> With ipfw(4) it should work, at least on FreeBSD. pfsense/opensense have
> their own patches, so I don't know what can be wrong there.
>
I know the problems with pf and FreeBSD, that's why I'm focusing on ipfw.
So ipfw without natd should and Strongswan as IPSec implementation 
should work as expected?
Then I'll try to investigate more time spending with sysctl, but I think 
I have tested any combination.
Really appreciate you help, thanks!
Michael
    
    
More information about the freebsd-net
mailing list