On 21.07.2017 13:59, Muenz, Michael wrote: > Am 19.07.2017 um 15:35 schrieb Andrey V. Elsukov: >> >> Check what you will see if you set net.enc.in.ipsec_bpf_mask=3. >> You should see the reply two times, the second one should be with >> translated address. >> > Googling around with "nat before ipsec" and freebsd shows many topics > like this. > It seems with 11.0 release there were some significant changes to enc > which made this impossible.
The only significant change to enc(4) was making it loadable. From other side it still work as before. Another problem is PF-specific, PF does if_output() after translation by self, and there is no chance for IPsec to finish encryption. Third problem mentioned here (deadlock in pf) is also PF-specific, and I'm not sure that it worked well before. With ipfw(4) it should work, at least on FreeBSD. pfsense/opensense have their own patches, so I don't know what can be wrong there. -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
