201581 – enc0 needs to be up if kernel has it

Bug 201581 - enc0 needs to be up if kernel has it

Summary: enc0 needs to be up if kernel has it

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	10.2-BETA1
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	freebsd-net (Nobody)

URL:
Keywords:	regression

Depends on:
Blocks:

Reported:	2015-07-15 07:15 UTC by emz
Modified:	2015-07-26 02:40 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description emz 2015-07-15 07:15:44 UTC

I'm using gre over ipsec to create VPN between remote branch offices.
After upgrading to r285524 ipsec stopped working: SA are inplace, affected router is sending and receiving ipsec packets, neighbor sees incoming and outgoing packets on gre interface, but affected FreeBSD system sees only outgoing packets on gre interface. `netstat -s -p <ah|esp>` doesn't show any errors.

ae@ told me to try to rollback commits 283937 and 283903, I did this, however, this didn't resolve the situation. Right now I'm using backup router with older revision.

Comment 1 emz 2015-07-15 08:39:36 UTC

After investigation I discovered the following:

- now enc0 needs to be up when processing ipsec, if kernel has it
- net.enc.out.ipsec_filter_mask and net.enc.in.ipsec_filter_mask default to 1, so the ipsec packets go through firewall
- (irrelevant, but still an error) I have "set skip on enc0" in pf.rules file, but upon loading rules I cannot see any occurrences of enc0 in pfctl -vvvs rules.

Comment 2 emz 2015-07-15 08:40:49 UTC

Follow-up: and man 4 enc doesn't mention it. At least I fail to notice the exact place where it says so.