Bug 201581

Summary: enc0 needs to be up if kernel has it
Product: Base System Reporter: emz
Component: kernAssignee: freebsd-net (Nobody) <net>
Status: New ---    
Severity: Affects Only Me CC: pi, re
Priority: --- Keywords: regression
Version: 10.2-BETA1   
Hardware: Any   
OS: Any   

Description emz 2015-07-15 07:15:44 UTC 
I'm using gre over ipsec to create VPN between remote branch offices.
After upgrading to r285524 ipsec stopped working: SA are inplace, affected router is sending and receiving ipsec packets, neighbor sees incoming and outgoing packets on gre interface, but affected FreeBSD system sees only outgoing packets on gre interface. `netstat -s -p <ah|esp>` doesn't show any errors.

ae@ told me to try to rollback commits 283937 and 283903, I did this, however, this didn't resolve the situation. Right now I'm using backup router with older revision.
Comment 1 emz 2015-07-15 08:39:36 UTC 
After investigation I discovered the following:

- now enc0 needs to be up when processing ipsec, if kernel has it
- net.enc.out.ipsec_filter_mask and net.enc.in.ipsec_filter_mask default to 1, so the ipsec packets go through firewall
- (irrelevant, but still an error) I have "set skip on enc0" in pf.rules file, but upon loading rules I cannot see any occurrences of enc0 in pfctl -vvvs rules.
Comment 2 emz 2015-07-15 08:40:49 UTC 
Follow-up: and man 4 enc doesn't mention it. At least I fail to notice the exact place where it says so.