NAT before IPSEC - reply packets stuck at enc0
Andrey V. Elsukov
bu7cher at yandex.ru
Fri Jul 21 11:11:00 UTC 2017
On 21.07.2017 13:59, Muenz, Michael wrote:
> Am 19.07.2017 um 15:35 schrieb Andrey V. Elsukov:
>>
>> Check what you will see if you set net.enc.in.ipsec_bpf_mask=3.
>> You should see the reply two times, the second one should be with
>> translated address.
>>
> Googling around with "nat before ipsec" and freebsd shows many topics
> like this.
> It seems with 11.0 release there were some significant changes to enc
> which made this impossible.
The only significant change to enc(4) was making it loadable. From other
side it still work as before. Another problem is PF-specific, PF does
if_output() after translation by self, and there is no chance for IPsec
to finish encryption. Third problem mentioned here (deadlock in pf) is
also PF-specific, and I'm not sure that it worked well before.
With ipfw(4) it should work, at least on FreeBSD. pfsense/opensense have
their own patches, so I don't know what can be wrong there.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170721/d0611af3/attachment.sig>
More information about the freebsd-net
mailing list