[Bug 273198] [14.0 CURRENT] PF recognizes encrypted IPSec traffic as coming from WAN. | NAT with IPsec Phase 2 Networks

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 27 Nov 2023 13:23:48 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273198

cArleone <32carleone@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |32carleone@gmail.com

--- Comment #1 from cArleone <32carleone@gmail.com> ---
Hello,
this error persists in FreeBSD-14 RELEASE. I tested it today.
The response from Ipsec still seems to be coming from the wan interface.

# Since it seems to be coming from the wan, it is blocked by entering my wrong
rule.
block drop in log quick on pppoe_igc1 from any to any  tag "wan" ridentifier
100000001

# pflog
100000001]: block in on pppoe_igc1: 32.32.32.32.443 > 192.168.1.233.54146:
Flags [S.], seg 1260103609, ack 142834308, win 65535,options [mss 1460, nop,
wscale 8, nop, nop, sackoK], length o

# my nat rule
nat log on enc0  inet  from  { 192.168.1.0/24 }  to  { 32.32.32.32/32 }    -> 
10.200.100.1/32


# swanctl --list-sas
ipsec2000: #18, ESTABLISHED, IKEv1, 006cc2d48e260de2_i 768af4a1fdc970bf_r*
  local  '95.95.95.95' @ 95.95.95.8[4500]
  remote '212.212.212.212' @ 212.212.212.212[4500]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 20485s ago, reauth in 56685s
  ipsec2001: #23, reqid 1, INSTALLED, TUNNEL-in-UDP,
ESP:AES_CBC-256/HMAC_SHA2_256_128
    installed 2757s ago, rekeying in 135s, expires in 843s
    in  c2ad555f, 716504 bytes,   535 packets, 14249s ago
    out c89f82d4,  70100 bytes,   523 packets,  1143s ago
    local  10.200.100.1/32|192.168.1.0/24
    remote 32.32.32.32/32|/0

-- 
You are receiving this mail because:
You are the assignee for the bug.