[Bug 248474] NAT broken on IPsec/VTI [if_ipsec]
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Aug 5 14:20:40 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474
Andrey V. Elsukov <ae at FreeBSD.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kp at freebsd.org
--- Comment #9 from Andrey V. Elsukov <ae at FreeBSD.org> ---
(In reply to Michael Muenz from comment #8)
AFAIK, pf NAT and route-to rules work as last point in the network stack, i.e.
pf doesn't reinject packet back to the stack and there is no way for IPsec to
catch the packet to make IPsec transformation. If you want to make it works,
you need to patch pf(4) and add IPSEC_OUTPUT()/IPSEC_FORWARD() methods to some
points, where pf does send to the network interface like IP output routines do.
Probably some changes also are required in the inbound path.
I don't think that proposed for strongswan change will help.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-net
mailing list