On 21 Mar 2017, at 12:44, Miroslav Lachman wrote:
Kristof Provost wrote on 2017/03/21 10:18:
On 21 Mar 2017, at 9:43, Marin Bernard wrote:
If there is no SA, it is impossible for a peer to ping another. As
soon
as IKE creates a SA, however, ping starts working. As you can see,
the last rule is explicitely bound to the inexistent enc0 interface,
and
yet is working fine.
Can you try without the enc0 rule? I suspect that what’s happening
here
is that
the IPSec traffic is bypassing the firewall altogether. If that's the
case the
your traffic will still flow, even without the pass on enc0 rule.
If you want to filter on it it should work if you add ‘device
enc’ to your
kernel config. The man page suggests that should then allow you to
filter IPSec
traffic on enc0.
Shouldn't it be included in GENERIC if IPSec is now part of it? It
seems
illogical to build own kernel for IPsec if IPSec was included in
GENERIC for
11.0 ... but without enc.
Yeah, perhaps it should be.
I’ve not used it myself, so I don’t know if/how well it works now,
but unless
it breaks things or introduces significant performance regressions we
should
probably turn it on too.
Martin, could you give us an idea of how well this works for you when
you’ve
got the time to set it up?
Regards,
Kristof
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
