I'm using gre over ipsec to create VPN between remote branch offices.
After upgrading to r285524 ipsec stopped working: SA are inplace, affected router is sending and receiving ipsec packets, neighbor sees incoming and outgoing packets on gre interface, but affected FreeBSD system sees only outgoing packets on gre interface. `netstat -s -p <ah|esp>` doesn't show any errors.
ae@ told me to try to rollback commits 283937 and 283903, I did this, however, this didn't resolve the situation. Right now I'm using backup router with older revision.
After investigation I discovered the following:
- now enc0 needs to be up when processing ipsec, if kernel has it
- net.enc.out.ipsec_filter_mask and net.enc.in.ipsec_filter_mask default to 1, so the ipsec packets go through firewall
- (irrelevant, but still an error) I have "set skip on enc0" in pf.rules file, but upon loading rules I cannot see any occurrences of enc0 in pfctl -vvvs rules.
Follow-up: and man 4 enc doesn't mention it. At least I fail to notice the exact place where it says so.