Bug 232522 - if_ipsec and pf doesn't work
Summary: if_ipsec and pf doesn't work
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 11.2-STABLE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: freebsd-bugs (Nobody)
Keywords: vimage
Depends on:
Reported: 2018-10-22 09:46 UTC by Peter Blok
Modified: 2018-10-26 08:34 UTC (History)
1 user (show)

See Also:

Superfluous addition of pfile hooks in if_ipsec.c (2.53 KB, patch)
2018-10-22 09:46 UTC, Peter Blok
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Blok 2018-10-22 09:46:29 UTC
Created attachment 198460 [details]
Superfluous addition of pfile hooks in if_ipsec.c

A VPN with if_ipsec VTI does not keep state with pf firewall. Below the symptoms:

1. If the VTI is on the pf.conf "skip" list, everything works ok!
2. With a "block all" nothing goes out, so works ok!
3. When passing an ssh connection with
   "pass out quick on ipsec0 from any to any port ssh keep state"
   the ssh connections work, but drops very quickly. When I dump the pf state table,
4. When I add pfil hooks to if_ipsec.c (see attached patch) everything works ok, but
   according to ae it is an additional call to the hook, which is probably why #2 works

Systems is now running fine with my hack and is in production, but I can setup a test system and get more info as well as debug.
Comment 1 Peter Blok 2018-10-22 09:49:00 UTC
vimage is present with some fixes ported from current.
Comment 2 Andrey V. Elsukov freebsd_committer 2018-10-26 07:15:40 UTC
Jast a guess, did you try to enable net.inet[6].ipsec[6].filtertunnel?
Comment 3 Peter Blok 2018-10-26 08:34:26 UTC
I did enable them now :-(. They were enabled before with gif tunnels but trying to determine why migrating from gif and ipsec-tools to VTI and strongswan I must have enabled them.

Everything works ok now.