Bug 201581 - enc0 needs to be up if kernel has it
Summary: enc0 needs to be up if kernel has it
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 10.2-BETA1
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-net mailing list
URL:
Keywords: regression
Depends on:
Blocks:
 
Reported: 2015-07-15 07:15 UTC by emz
Modified: 2015-07-26 02:40 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description emz 2015-07-15 07:15:44 UTC
I'm using gre over ipsec to create VPN between remote branch offices.
After upgrading to r285524 ipsec stopped working: SA are inplace, affected router is sending and receiving ipsec packets, neighbor sees incoming and outgoing packets on gre interface, but affected FreeBSD system sees only outgoing packets on gre interface. `netstat -s -p <ah|esp>` doesn't show any errors.

ae@ told me to try to rollback commits 283937 and 283903, I did this, however, this didn't resolve the situation. Right now I'm using backup router with older revision.
Comment 1 emz 2015-07-15 08:39:36 UTC
After investigation I discovered the following:

- now enc0 needs to be up when processing ipsec, if kernel has it
- net.enc.out.ipsec_filter_mask and net.enc.in.ipsec_filter_mask default to 1, so the ipsec packets go through firewall
- (irrelevant, but still an error) I have "set skip on enc0" in pf.rules file, but upon loading rules I cannot see any occurrences of enc0 in pfctl -vvvs rules.
Comment 2 emz 2015-07-15 08:40:49 UTC
Follow-up: and man 4 enc doesn't mention it. At least I fail to notice the exact place where it says so.