https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226411
--- Comment #2 from Eric Dombroski <e...@edombroski.com> --- ################# HOST 1 - ROUTER ################################### root@fbsd12test1:~ # cat /etc/rc.conf hostname="fbsd12test1" ifconfig_vmx0="inet 10.10.10.1 netmask 255.255.255.0" ifconfig_vmx1="inet 10.6.0.1 netmask 255.255.254.0" #lan is a /23 cloned_interfaces="gre0" ifconfig_gre0="inet 10.1.0.1 10.1.0.2 netmask 255.255.255.252 tunnel 10.10.10.1 10.10.10.2 link0 up" gateway_enable="YES" pf_enable="YES" pflog_enable="YES" sshd_enable="YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="AUTO" strongswan_enable="YES" root@fbsd12test1:~ # cat /etc/pf.conf set block-policy drop set loginterface egress set skip on lo0 set skip on gre0 ### has no apparent effect? ### #default block rules block log all # allow in from other host pass in quick on vmx0 from 10.10.10.0/24 # allow all in from lan subnet pass in quick from 10.6.0.0/23 # pass all output packets pass out quick root@fbsd12test1:~ # cat /usr/local/etc/ipsec.conf config setup uniqueids = yes conn bypasslan leftsubnet = 10.6.0.0/23 rightsubnet = 10.6.0.0/23 authby = never type = passthrough auto = route conn con1 fragmentation = yes keyexchange = ike reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = transport dpdaction = restart dpddelay = 10s dpdtimeout = 60s auto = route left = 10.10.10.1 right = 10.10.10.2 leftid = 10.10.10.1 ikelifetime = 28800s lifetime = 3600s ike = aes256-sha256-modp4096! esp = aes256-sha256-modp4096! leftauth = psk rightauth = psk rightid = 10.10.10.2 aggressive = no rightsubnet = 10.10.10.2 leftsubnet = 10.10.10.1 root@fbsd12test1:~ # cat /usr/local/etc/ipsec.secrets # ipsec.secrets - strongSwan IPsec secrets file %any 10.10.10.2 : PSK "testingtestingtesting" ################# HOST 2 - CLIENT ################################### root@fbsd12test2:~ # cat /etc/rc.conf hostname="fbsd12test2" ifconfig_vmx0="inet 10.10.10.2 netmask 255.255.255.0" cloned_interfaces="gre0" ifconfig_gre0="inet 10.1.0.2 10.1.0.1 netmask 255.255.255.252 tunnel 10.10.10.2 10.10.10.1 link0 up" pf_enable="NO" sshd_enable="YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="AUTO" strongswan_enable="YES" root@fbsd12test2:~ # cat /usr/local/etc/ipsec.conf config setup uniqueids = yes conn con1 fragmentation = yes keyexchange = ike reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = transport dpdaction = restart dpddelay = 10s dpdtimeout = 60s auto = route left = 10.10.10.2 right = 10.10.10.1 leftid = 10.10.10.2 ikelifetime = 28800s lifetime = 3600s ike = aes256-sha256-modp4096! esp = aes256-sha256-modp4096! leftauth = psk rightauth = psk rightid = 10.10.10.1 aggressive = no rightsubnet = 10.10.10.1 leftsubnet = 10.10.10.2 root@fbsd12test2:~ # cat /usr/local/etc/ipsec.secrets # ipsec.secrets - strongSwan IPsec secrets file %any 10.10.10.1 : PSK "testingtestingtesting" root@fbsd12test2:~ # route add -net 10.6.0.0/23 10.1.0.2 Test tcp connection to host on 10.6.0.0/23 (for instance, 10.6.0.10). SYN packet gets through to, ACK doesn't get back. Also, ICMP traffic let through even if you remove the pass rules that let it go through. -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"