NAT before IPSEC - reply packets stuck at enc0
Andrey V. Elsukov
bu7cher at yandex.ru
Mon Jul 24 11:21:11 UTC 2017
On 22.07.2017 08:36, Muenz, Michael wrote:
> Am 21.07.2017 um 13:08 schrieb Andrey V. Elsukov:
>>
>> With ipfw(4) it should work, at least on FreeBSD. pfsense/opensense have
>> their own patches, so I don't know what can be wrong there.
>>
>
> I also tried 11.0 and 11.1RC3 vanilla kernels, no luck.
> Will build a test setup with the OPNsense devs.
>
> I'm still positive that this can't be a huge issue.
>
> Thanks for your efforts Andrey!
Ok, let's try to debug the problem. Please, use 11.1-RC, it has
significantly changed IPsec stack.
Apply attached patch to if_enc(4), it makes if_enc a bit useful for
debugging your problem. You need to rebuild and reinstall
sys/modules/if_enc.
Now enable verbose BPF logging:
net.enc.out.ipsec_bpf_mask=3
net.enc.in.ipsec_bpf_mask=3
According your tcpdump output, you need to set
net.enc.out.ipsec_filter_mask=2
Show what you will see in the `tcpdump -nvi enc0` with such config
options. Also, show what you have in the `sysctl net.inet.ip.fw` and
`ipfw show` output.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: if_enc.diff
Type: text/x-patch
Size: 1459 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170724/49a720d3/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170724/49a720d3/attachment.sig>
More information about the freebsd-net
mailing list