[Bug 273198] [14.0 CURRENT] PF recognizes encrypted IPSec traffic as coming from WAN. | NAT with IPsec Phase 2 Networks

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273198

--- Comment #4 from Igor Ostapenko <igor.ostapenko@pm.me> ---
(In reply to Alfa from comment #0)
> When remote peer's server (192.168.250.100) tries to send data to me,
> PF recognizes it as coming from WAN (em0)

As an idea, "sysctl net.inet.ipsec.filtertunnel=1" could be the reason. It
reveals the payload on the same interface ESP came on. For example, a single
"pass log all no state" pf rule provides the following sequence of matches for
a single ping roundtrip:

Case 1:
sysctl net.inet.ipsec.filtertunnel=0   # off
sysctl net.enc.in.ipsec_filter_mask=2  # after IPsec
sysctl net.enc.out.ipsec_filter_mask=1 # before IPsec
pflog:
pass in on wan: ESP
pass in on enc0: ICMP echo request
pass out on enc0: ICMP echo reply
pass out on wan: ESP

Case 2:
sysctl net.inet.ipsec.filtertunnel=1   # on
sysctl net.enc.in.ipsec_filter_mask=2  # after IPsec
sysctl net.enc.out.ipsec_filter_mask=1 # before IPsec
pflog:
pass in on wan: ESP
pass in on enc0: ICMP echo request
pass in on wan: ICMP echo request      # this is the diff
pass out on enc0: ICMP echo reply
pass out on wan: ESP

-- 
You are receiving this mail because:
You are the assignee for the bug.