From nobody Mon Feb 28 17:16:25 2022 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 402D919E96F3 for ; Mon, 28 Feb 2022 17:16:37 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from mail-vk1-xa29.google.com (mail-vk1-xa29.google.com [IPv6:2607:f8b0:4864:20::a29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4K6n9J2dlBz3j6c for ; Mon, 28 Feb 2022 17:16:36 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: by mail-vk1-xa29.google.com with SMTP id l10so5521860vki.9 for ; Mon, 28 Feb 2022 09:16:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=vFIkkVg48Qs/by0VEU0UJYp9EnHS/z082eTCKQD36Vk=; b=ej+XIGT3REaoy5Y/OrgmrfDrcdfw1UUPvAcJ44n70MAc8afN47MDBqaVEpsnxKfm9J KrYOpmFMwG0zayHwBDiZ+hy5Z24j7IPUDoawKutH0U4AlmcVlCKLEquW/zWtGgbzFMQn wYfcmx5HqTcjikOGnYX6t/n/yIbdv2x8Upv6LIu+VoWqlk79TiALPsRiO7u3izcFloSs yJaARx0eBQ/+KTFLsTb/16pXrddhCc5470UoDDzMhF5lGwCfNOAtEZ57dSDijZ6mTy2g Ks7m8/KPVmiwPlhkWWVcYrCQcPg8FSC2gGxu1B7yoQ2UlDG9BF8JzsO+dsMV3M/QP7RZ O62Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=vFIkkVg48Qs/by0VEU0UJYp9EnHS/z082eTCKQD36Vk=; b=4UFeHEQItbolYFt2fnpF6IS6Oyv+vNreFJ1mpNYSLyr8rEaKLToYFcj2XN6hzERY6f pN4nIRBHSqmywuJWZuDhw8Ts68/vOcSUvwID9WL9NwkIJuJkLD0BdZ97yUYlTAwCwDXs S0BnFOGLPGPn8PWuGzdNFKvZsAzOLKIgGgG0e69iXwqTNbwxb9LuKYjq33d0DzMe1f3d 3HewnygO9H6kScj6GeyUFk0z5GEwQFEdf9tF3P5KptG37D3CjuKU4s8pO2x+MUbHv/Bi vdtGRRpKjUGqB5DnKhhA184sUBfYHiHCUELCHAOgPvrUGVZH/PbFDzCVZwnOPOPY3SVs WHFQ== X-Gm-Message-State: AOAM533P0BKp/w9o4VVmKSUcCG6eK5l5WJrTjuSNhQ+xLFTZJMXSrxgH WGMKCgWXP7xoZCbE8Id/0FnmiFAGSJPbTlYf/5D6/CTVqOE= X-Google-Smtp-Source: ABdhPJxlCR4j2KcAEPMVG1wfvmX2PU37cVXXjRBR/Oj3eNLC3P6ccob6RGW5ODV8ie7KnyS74GZ+sEz7hlOnNwe1gBk= X-Received: by 2002:a1f:a8d8:0:b0:32f:7362:c169 with SMTP id r207-20020a1fa8d8000000b0032f7362c169mr8804594vke.16.1646068595694; Mon, 28 Feb 2022 09:16:35 -0800 (PST) List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 From: =?UTF-8?B?w5Z6a2FuIEtJUklL?= Date: Mon, 28 Feb 2022 20:16:25 +0300 Message-ID: Subject: DHCP Server over IPsec (may be IPsec and raw sockets issue) To: FreeBSD Net Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4K6n9J2dlBz3j6c X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=ej+XIGT3; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of ozkankirik@gmail.com designates 2607:f8b0:4864:20::a29 as permitted sender) smtp.mailfrom=ozkankirik@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::a29:from]; MLMMJ_DEST(0.00)[freebsd-net]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Hello, I'm running FreeBSD stable/12. I'm running kea-dhcp server and strongswan. DHCP Relay packets are received over IPsec, but kea-dhcp couldn't receive packets while in "raw" socket mode. When the kea-dhcp is configured to "udp" sockets, DHCP Relay packets can be received. As you know, when dhcp server is configured to use UDP sockets, it can not receive dhcp bootp broadcasts on same local network. Both IPsec VTI mode and IPsec legacy mode behaves same way. I tried to change net.inet.ipsec.filtertunnel but didnt work. Also, I tried to work dhcp-relay and IPsec together, isc-dhcrelay daemon is forwarding requests but cannot read the received response. I think that the problem is same. As a workaround, I moved the kea-dhcp to a vnet jail that connected with an epair. IPsec is left on the parent system. With this solution, it works. But it's ugly solution. Is there any way to work IPsec and "raw" sockets together? Thank you. Regards