[Bug 248474] if_ipsec: NAT broken on IPsec/VTI
    bugzilla-noreply at freebsd.org 
    bugzilla-noreply at freebsd.org
       
    Tue Mar  2 13:36:14 UTC 2021
    
    
  
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474
--- Comment #39 from jimp at netgate.com ---
(In reply to Kevin Ong from comment #33)
You're missing a couple sysctl OIDs.
For the default enc0 filtering mode, use the following sysctl values:
net.inet.ipsec.filtertunnel   = 0x0000
net.inet6.ipsec6.filtertunnel = 0x0000
net.enc.out.ipsec_bpf_mask    = 0x0001
net.enc.out.ipsec_filter_mask = 0x0001
net.enc.in.ipsec_bpf_mask     = 0x0002
net.enc.in.ipsec_filter_mask  = 0x0002
For if_ipsec filtering:
net.inet.ipsec.filtertunnel   = 0x0001
net.inet6.ipsec6.filtertunnel = 0x0001
net.enc.out.ipsec_bpf_mask    = 0x0000
net.enc.out.ipsec_filter_mask = 0x0000
net.enc.in.ipsec_bpf_mask     = 0x0000
net.enc.in.ipsec_filter_mask  = 0x0000
(In reply to jeremy.mordkoff from comment #35)
Since the sysctl oids mentioned in this thread control whether you filter only
on *either* enc0 or the if_ipsec interfaces and not both at once, depending on
the sysctl values, you need to setup rules on the if_ipsec interfaces to let
the VTI traffic pass. At the moment, pfSense software doesn't have a way to let
you do that. There is a patch on https://redmine.pfsense.org/issues/11395 which
lets you choose to either filter on enc0 (for tunnel mode + basic VTI traffic)
or filter on if_ipsec (full VTI filtering capabilities, including NAT, but
drops all tunnel mode traffic). The VTI filtering mode exposes firewall rule
tabs for assigned VTI interfaces which will allow you to do what you want.
For info on how to use that or other issues specific to pfSense software you
should post on the Netgate forum for assistance.
I'd still prefer there be a way to do both at once, but at least having a
choice in the behavior is better than it being completely broken.
-- 
You are receiving this mail because:
You are the assignee for the bug.
    
    
More information about the freebsd-net
mailing list