[Bug 273198] [14.0 CURRENT] PF recognizes encrypted IPSec traffic as coming from WAN. | NAT with IPsec Phase 2 Networks

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 24 Jun 2024 17:12:40 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273198

--- Comment #2 from Igor Ostapenko <igor.ostapenko@pm.me> ---
(In reply to cArleone from comment #1)

I've applied the initial analysis of the case. I've managed to test it using
jails and vnet. From my testing both if_enc and pf work as expected, i.e. I can
catch ESP or the payload on enc0. If you want you may run the same test on your
system to verify that basic behavior work fine:
- fetch the test file as /usr/tests/sys/netpfil/pf/ipsec
- # echo "atf_test_program{name="ipsec", is_exclusive=true}" >>
/usr/tests/sys/netpfil/pf/Kyuafile
- # kyua test -k /usr/tests/sys/netpfil/pf/Kyuafile ipsec

I believe the test does not cover your case completely. If more details and
sequence of actions/manipulations over the IPsec traffic are provided, then
probably I will have higher chances to reproduce the issue.

CURRENT 5dbf886104b45fea255987ee2ae4828b8d002ffe was used for the testing.

-- 
You are receiving this mail because:
You are the assignee for the bug.