Outgoing IPv6 host traffic that is to be encrypted is not being captured by the enc0 device. IPFW only sees it as esp. tcpdump cannot see it either. This is after trying all combinations of the sysctl flags. /etc/sysctl.conf: # Set up IPSEC filtering net.enc.out.ipsec_bpf_mask=0x00000003 net.enc.out.ipsec_filter_mask=0x00000003 net.enc.in.ipsec_bpf_mask=0x00000001 net.enc.in.ipsec_filter_mask=0x00000001 net.inet.ipsec.ecn=1 net.inet.ipsec.filtertunnel=0 net.inet.ip.fw.one_pass=0 This has been tried with IPv6 directly on em0, and over an IPv6 sit6 gif tunnel. It would be good to get this fixed, as we would like to deploy FreeBSD servers with IPSEC IPv6 encrypted networking. This is critical for securing the contents of the SPD, as it can supply state-full-ness when combined with IPSEC matching ipfw or pf properties. How-To-Repeat: It would be good to get this fixed, as we would like to deploy FreeBSD servers with IPSEC IPv6 encrypted networking. This is critical for securing the contents of the SPD, as it can supply state-full-ness when combined with IPSEC matching ipfw or pf properties. ifconfig enc0 up. Make sure net.enc.out/in are set to default or as: net.enc.out.ipsec_bpf_mask=0x00000003 net.enc.out.ipsec_filter_mask=0x00000003 net.enc.in.ipsec_bpf_mask=0x00000001 net.enc.in.ipsec_filter_mask=0x00000001 Incoming IPv6 traffic will be observed, and none of the outgoing traffic from the host. In the Ipv4 equivalent, outgoing traffic will be observed and in ipfw will show up as coming from the enc0 device. Incoming IPv6 traffic will be matched in ipfw on rules with the 'ipsec' property set.
Hi! Bug stops outing stateful connection tracking over IPSEC to happen as per IPv4 (IPFW): IPv6 outgoing traffic is only matched as esp, and the packet does not appear as per IPv4 as a TCP SYN outgoing on enc0. IPv4: cmd="ipfw add" pif="em0" p6if="gif0" $cmd 00100 allow udp from 203.79.116.183 500 to me 500 in via $pif $cmd 00101 allow udp from me 500 to 203.79.116.183 500 out via $pif $cmd 00120 allow esp from me to 203.79.116.183 out via $pif $cmd 00121 allow esp from 203.79.116.183 to me in via $pif $cmd 00190 check-state ipsec $cmd 00200 allow udp from 203.79.116.183 to me 53 in ipsec via $pif keep-state $cmd 00210 allow tcp from 203.79.116.183 to me 53 in ipsec via $pif keep-state $cmd 00220 allow ip4 from me to 203.79.116.183 out keep-state $cmd 00290 deny log ip from 203.79.116.183 to me in via $pif $cmd 00291 deny log ip from me to 203.79.116.183 out via $pif IPv4: $cmd 10100 allow udp from 2001:470:f012:2::2 500 to me6 500 in via $p6if $cmd 10101 allow udp from me6 500 to 2001:470:f012:2::2 500 out via $p6if $cmd 10120 allow esp from me6 to 2001:470:f012:2::2 out via $p6if $cmd 10121 allow esp from 2001:470:f012:2::2 to me6 in via $p6if $cmd 10180 check-state $cmd 10200 allow udp from 2001:470:f012:2::2 to me6 53 in ipsec via $p6if keep-state $cmd 10210 allow tcp from 2001:470:f012:2::2 to me6 53 in ipsec via $p6if keep-state $cmd 10220 allow ip6 from me6 to 2001:470:f012:2::2 out keep-state $cmd 10290 deny log ip from 2001:470:f012:2::2 to me6 in via $p6if $cmd 10291 deny log ip from me6 to 2001:470:f012:2::2 out via $p6if # Internet name server access $cmd 10300 allow udp from any to me6 53 in via $p6if $cmd 10301 allow udp from me6 53 to any out via $p6if $cmd 10302 allow tcp from any to me6 53 in via $p6if $cmd 10303 allow tcp from me6 53 to any out via $p6if
Much has changed in this area in 6 years. Can you please try and see if this problem still exists and reopen the bug if it does?