From nobody Mon Nov 27 13:23:48 2023
X-Original-To: pf@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Sf5rj10Qxz52fJh
	for <pf@mlmmj.nyi.freebsd.org>; Mon, 27 Nov 2023 13:23:49 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Sf5rh4z6mz3HD7
	for <pf@FreeBSD.org>; Mon, 27 Nov 2023 13:23:48 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1701091428;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=XeOAzjpq+IFhcfIrRcMhrVGCIKhpX5e2DvVxzbOODPs=;
	b=QV4SpgLqnSh1PNg8KUz30wFK96Q/SsmIqOcOIOUabKS7gRCOpMOOqs35FZw9FxdkwtHfzg
	N6W81ig+6UG/Xw6sgiozfvcF9eSFV0MKYCrDY70TFa99xaYgwLiLA1G+14YVYKiYTZMZtx
	FU1P/9Vhvtyo9F0B9wA2bIEhyVe71ELvf3fxLgw9JEY6RcI+T0aTOKjq4Bv+/vNgW4mDS+
	NU64YDRA3PKTmC5ihGcFgS0Uijn6UIp6Ggh5VkEuJgJysPJ3w9cv0k/GkgusRwUO2olvPM
	B+E4x/W74YrWHuUzH6RLx23KUQVJLSsznua5CS3sJtTAflZ3Nypz0LRRJZB3Uw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1701091428; a=rsa-sha256; cv=none;
	b=NvXI2Thn6HVwi0X2gRkHCvf4J/8P9hc2/Q5i3NIuNrGaSE5/oURpVPhpgEhCMyUuiMVjyp
	7Bg/8KQvAPcuk8wdk1eNZsf1HVCDvHofn6z0sxH3bJPjVJ7Me3azot7uxTy17GVJrF5IX9
	RAsDYRXf9uctYbPwrLo4I+70t4QwpOI8/StUMJgj4+lB7jELAHgE5gZ18BV9xrmuvc1pJC
	MHfv+cmxmuR4pyRKZbJLNcDoifr2rjFjfRIjq3rK9Hd8OpkeOiHZFuylqcHAyvBAdSzb2I
	FSqagCnB8ndjIp+tyyUN1MlcMVbRvkSqvF03gTJP00mkMu35eoqLMsFN+a1h4A==
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Sf5rh3mTrzgQc
	for <pf@FreeBSD.org>; Mon, 27 Nov 2023 13:23:48 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 3ARDNmUO062390
	for <pf@FreeBSD.org>; Mon, 27 Nov 2023 13:23:48 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 3ARDNmal062389
	for pf@FreeBSD.org; Mon, 27 Nov 2023 13:23:48 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: pf@FreeBSD.org
Subject: [Bug 273198] [14.0 CURRENT] PF recognizes encrypted IPSec traffic as
 coming from WAN. | NAT with IPsec Phase 2 Networks
Date: Mon, 27 Nov 2023 13:23:48 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: 32carleone@gmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: pf@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-273198-16861-nDk3tRQxq0@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-273198-16861@https.bugs.freebsd.org/bugzilla/>
References: <bug-273198-16861@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Technical discussion and general questions about packet filter (pf) <freebsd-pf.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pf
List-Help: <mailto:pf+help@freebsd.org>
List-Post: <mailto:pf@freebsd.org>
List-Subscribe: <mailto:pf+subscribe@freebsd.org>
List-Unsubscribe: <mailto:pf+unsubscribe@freebsd.org>
Sender: owner-freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
MIME-Version: 1.0

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273198

cArleone <32carleone@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |32carleone@gmail.com

--- Comment #1 from cArleone <32carleone@gmail.com> ---
Hello,
this error persists in FreeBSD-14 RELEASE. I tested it today.
The response from Ipsec still seems to be coming from the wan interface.

# Since it seems to be coming from the wan, it is blocked by entering my wr=
ong
rule.
block drop in log quick on pppoe_igc1 from any to any  tag "wan" ridentifier
100000001

# pflog
100000001]: block in on pppoe_igc1: 32.32.32.32.443 > 192.168.1.233.54146:
Flags [S.], seg 1260103609, ack 142834308, win 65535,options [mss 1460, nop,
wscale 8, nop, nop, sackoK], length o

# my nat rule
nat log on enc0  inet  from  { 192.168.1.0/24 }  to  { 32.32.32.32/32 }    =
->=20
10.200.100.1/32


# swanctl --list-sas
ipsec2000: #18, ESTABLISHED, IKEv1, 006cc2d48e260de2_i 768af4a1fdc970bf_r*
  local  '95.95.95.95' @ 95.95.95.8[4500]
  remote '212.212.212.212' @ 212.212.212.212[4500]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 20485s ago, reauth in 56685s
  ipsec2001: #23, reqid 1, INSTALLED, TUNNEL-in-UDP,
ESP:AES_CBC-256/HMAC_SHA2_256_128
    installed 2757s ago, rekeying in 135s, expires in 843s
    in  c2ad555f, 716504 bytes,   535 packets, 14249s ago
    out c89f82d4,  70100 bytes,   523 packets,  1143s ago
    local  10.200.100.1/32|192.168.1.0/24
    remote 32.32.32.32/32|/0

--=20
You are receiving this mail because:
You are the assignee for the bug.=