Am 21.07.2017 um 13:08 schrieb Andrey V. Elsukov:
On 21.07.2017 13:59, Muenz, Michael wrote:
Am 19.07.2017 um 15:35 schrieb Andrey V. Elsukov:
Check what you will see if you set net.enc.in.ipsec_bpf_mask=3.
You should see the reply two times, the second one should be with
translated address.
Googling around with "nat before ipsec" and freebsd shows many topics
like this.
It seems with 11.0 release there were some significant changes to enc
which made this impossible.
The only significant change to enc(4) was making it loadable. From other
side it still work as before. Another problem is PF-specific, PF does
if_output() after translation by self, and there is no chance for IPsec
to finish encryption. Third problem mentioned here (deadlock in pf) is
also PF-specific, and I'm not sure that it worked well before.
With ipfw(4) it should work, at least on FreeBSD. pfsense/opensense have
their own patches, so I don't know what can be wrong there.
I know the problems with pf and FreeBSD, that's why I'm focusing on ipfw.
So ipfw without natd should and Strongswan as IPSec implementation
should work as expected?
Then I'll try to investigate more time spending with sysctl, but I think
I have tested any combination.
Really appreciate you help, thanks!
Michael
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
