[Bug 248474] NAT broken on IPsec/VTI [if_ipsec]
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Aug 5 07:56:23 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474
--- Comment #4 from Eugene Grosbein <eugen at freebsd.org> ---
Created attachment 217021
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=217021&action=edit
strongswan work-around patch
Also, it is possible you hit obscure problem in kernel+strongswan co-operation:
strongswan unconditionally uses IPSEC_LEVEL_UNIQUE while talking to kernel that
may be inappropriate for setups similar to yours.
Sadly, strongswan has no configuration to give user opportunity switching to
IPSEC_LEVEL_USE that solves the problem. Here I attach quick-n-dirty
work-around patch for strongswan.
You should save it to
/usr/ports/security/strongswan/files/patch-kernel_pfkey_ipsec.c and
rebuild/reinstall strongswan. No strongswan nor pf reconfiguration required.
Please try it and report back.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-net
mailing list