lan1 - ethernet vpn1 - if_ipsec ipfw -c show 10-11 00010 1004 60400 allow tag 999 out recv lan1 xmit vpn1 00011 1004 120720 count esp from me to any out recv lan1 tagged 999 Why at rule 11 a locally generated IPSEC packet has recv interface?
via gif - in and out 00020 3326 3524078 count tag 999 ip from 216.66.80.26 to me proto 41 in recv ext1 00020 2283 346596 count tag 998 out xmit gif1 00030 2283 392256 count ip from me to 216.66.80.26 proto 41 out xmit ext1 tagged 998 00030 3326 3457558 count in recv gif1 tagged 999 via ng - out only 00020 307807 60722644 count tag 998 udp from any to me src-port 1701 in recv ext1 00020 0 0 count in recv ng_l2tp tagged 998 00030 1273 106932 count tag 999 out xmit ng_l2tp 00030 1273 155306 count udp from me to any dst-port 1701 out xmit ext1 tagged 999 00040 294012 366590329 count tag 997 ip from any to me gre in 00040 0 0 count in recv ng_pptp tagged 997 00050 194140 11160154 count tag 996 out xmit ng_pptp 00050 194239 18957853 count gre from me to any out tagged 996 vif if_ipsec - in and out 00020 28 15344 count tag 992 esp from any to me in 00020 28 13616 count in recv vpn1 tagged 992 00030 6 381 count tag 993 out xmit vpn1 00030 6 752 count esp from me to any out tagged 993 Is this bug or by design?
Please use mailing lists or web forums to ask such questions and leave Bugzilla for bug reporing. And yes, this is by design. If you have more questions about difference between ng/l2tp and others, please ask freebsd-net@freebsd.org but supply more details of your setup and packet flow.