NAT before IPSEC - reply packets stuck at enc0
Muenz, Michael
m.muenz at spam-fetish.org
Wed Jul 19 14:02:57 UTC 2017
Am 19.07.2017 um 15:35 schrieb Andrey V. Elsukov:
>> Check what you will see if you set net.enc.in.ipsec_bpf_mask=3.
>> You should see the reply two times, the second one should be with
>> translated address.
>>
Correct:
16:01:02.222400 (authentic,confidential): SPI 0xd544e311: IP 10.26.1.1 >
10.24.66.25: ICMP echo request, id 64725, seq 0, length 8
16:01:02.230544 (authentic,confidential): SPI 0xc5769504: IP 81.24.1.1 >
213.244.2.2: IP 10.24.66.25 > 10.26.1.1: ICMP echo reply, id 64725, seq
0, length 8 (ipip-proto-4)
16:01:02.230553 (authentic,confidential): SPI 0xc5769504: IP 10.24.66.25
> 10.26.1.1: ICMP echo reply, id 64725, seq 0, length 8
More information about the freebsd-net
mailing list