25.09.2021 03:31, Eugene Grosbein пишет: > I know three main reasons that may prevent firewall+IPSec from working as > expected: > > 1) for incoming packets: kernel could drop incoming packet withing ipsec code > incrementing one of counters shown with "netstat -sp ipsec" command, > so you should check it out first; > > 2) for both outgoing and incoming packets there could be processing order > problem: > packets processed first by pfil(9) framework (so pf/ipfw have a chance to do > NAT etc.) > and only then sent to ipsec(4) to transform (in FreeBSD 11 at least), not > vice versa.
AFAIK, pf does not send packets to IPsec processing after NAT. You need to make translation after IPsec processing using the if_enc interface. > > 3) also read if_enc(4) manual page to make familiar with net.enc.out.* and > net.enc.in.* sysctl family, > as it may affect, too. If you do not use enc(4) pseudo-interface, make sure > you changed defaults to: > > net.enc.in.ipsec_filter_mask=0 > net.enc.out.ipsec_filter_mask=0 Another important variable that needs an attention is net.inet.ipsec.filtertunnel -- WBR, Andrey V. Elsukov
OpenPGP_signature
Description: OpenPGP digital signature
