Created attachment 198460 [details]
Superfluous addition of pfile hooks in if_ipsec.c
A VPN with if_ipsec VTI does not keep state with pf firewall. Below the symptoms:
1. If the VTI is on the pf.conf "skip" list, everything works ok!
2. With a "block all" nothing goes out, so works ok!
3. When passing an ssh connection with
"pass out quick on ipsec0 from any to any port ssh keep state"
the ssh connections work, but drops very quickly. When I dump the pf state table,
it is not ESTABLISHED/ESTABLISHED.
4. When I add pfil hooks to if_ipsec.c (see attached patch) everything works ok, but
according to ae it is an additional call to the hook, which is probably why #2 works
Systems is now running fine with my hack and is in production, but I can setup a test system and get more info as well as debug.
vimage is present with some fixes ported from current.
Jast a guess, did you try to enable net.inet.ipsec.filtertunnel?
I did enable them now :-(. They were enabled before with gif tunnels but trying to determine why migrating from gif and ipsec-tools to VTI and strongswan I must have enabled them.
Everything works ok now.