Re: NAT before IPSEC - reply packets stuck at enc0

Mon, 24 Jul 2017 04:21:37 -0700 

On 22.07.2017 08:36, Muenz, Michael wrote:
> Am 21.07.2017 um 13:08 schrieb Andrey V. Elsukov:
>>
>> With ipfw(4) it should work, at least on FreeBSD. pfsense/opensense have
>> their own patches, so I don't know what can be wrong there.
>>
> 
> I also tried 11.0 and 11.1RC3 vanilla kernels, no luck.
> Will build a test setup with the OPNsense devs.
> 
> I'm still positive that this can't be a huge issue.
> 
> Thanks for your efforts Andrey!

Ok, let's try to debug the problem. Please, use 11.1-RC, it has
significantly changed IPsec stack.

Apply attached patch to if_enc(4), it makes if_enc a bit useful for
debugging your problem. You need to rebuild and reinstall
sys/modules/if_enc.

Now enable verbose BPF logging:
net.enc.out.ipsec_bpf_mask=3
net.enc.in.ipsec_bpf_mask=3

According your tcpdump output, you need to set
net.enc.out.ipsec_filter_mask=2

Show what you will see in the `tcpdump -nvi enc0` with such config
options. Also, show what you have in the `sysctl  net.inet.ip.fw` and
`ipfw show` output.

-- 
WBR, Andrey V. Elsukov

Index: sys/net/if_enc.c
===================================================================
--- sys/net/if_enc.c	(revision 321414)
+++ sys/net/if_enc.c	(working copy)
@@ -223,10 +223,11 @@ enc_hhook(int32_t hhook_type, int32_t hhook_id, vo
 	if (ctx->af != hhook_id)
 		return (EPFNOSUPPORT);
 
-	if (((hhook_type == HHOOK_TYPE_IPSEC_IN &&
-	    (ctx->enc & V_bpf_mask_in) != 0) ||
+	if ((ctx->enc & IPSEC_ENC_BEFORE) != 0 && (
+	    (hhook_type == HHOOK_TYPE_IPSEC_IN &&
+	    (V_bpf_mask_in & IPSEC_ENC_BEFORE) != 0) ||
 	    (hhook_type == HHOOK_TYPE_IPSEC_OUT &&
-	    (ctx->enc & V_bpf_mask_out) != 0)) &&
+	    (V_bpf_mask_out & IPSEC_ENC_BEFORE) != 0)) &&
 	    bpf_peers_present(ifp->if_bpf) != 0) {
 		hdr.af = ctx->af;
 		hdr.spi = ctx->sav->spi;
@@ -290,6 +291,23 @@ enc_hhook(int32_t hhook_type, int32_t hhook_id, vo
 		return (EACCES);
 	}
 	(*ctx->mp)->m_pkthdr.rcvif = rcvif;
+
+	if ((ctx->enc & IPSEC_ENC_AFTER) != 0 && (
+	    (hhook_type == HHOOK_TYPE_IPSEC_IN &&
+	    (V_bpf_mask_in & IPSEC_ENC_AFTER) != 0) ||
+	    (hhook_type == HHOOK_TYPE_IPSEC_OUT &&
+	    (V_bpf_mask_out & IPSEC_ENC_AFTER) != 0)) &&
+	    bpf_peers_present(ifp->if_bpf) != 0) {
+		hdr.af = ctx->af;
+		hdr.spi = ctx->sav->spi;
+		hdr.flags = 0;
+		if (ctx->sav->alg_enc != SADB_EALG_NONE)
+			hdr.flags |= M_CONF;
+		if (ctx->sav->alg_auth != SADB_AALG_NONE)
+			hdr.flags |= M_AUTH;
+		bpf_mtap2(ifp->if_bpf, &hdr, sizeof(hdr), *ctx->mp);
+	}
+
 	return (0);
 }

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to