https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474
Andrey V. Elsukov <a...@freebsd.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |k...@freebsd.org
--- Comment #9 from Andrey V. Elsukov <a...@freebsd.org> ---
(In reply to Michael Muenz from comment #8)
AFAIK, pf NAT and route-to rules work as last point in the network stack, i.e.
pf doesn't reinject packet back to the stack and there is no way for IPsec to
catch the packet to make IPsec transformation. If you want to make it works,
you need to patch pf(4) and add IPSEC_OUTPUT()/IPSEC_FORWARD() methods to some
points, where pf does send to the network interface like IP output routines do.
Probably some changes also are required in the inbound path.
I don't think that proposed for strongswan change will help.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
