On 10/21/2014 11:06 AM, Kyle Williams wrote:
Hello,
I'm currently using 10.0, IPSEC, racoon, enc, and pf between two remote
hosts without NATT. The gif tunnel is ipv4 only, host A is ipv4 only,
host B is ipv4/ipv6. I use IPSEC to route traffic between jails on both
hosts, with the jails using cloned lo1 and 10.0.0.0/8 addresses.
I'm testing the posted patches on host A with the following pf.conf:
block all
pass all
I'm using the recommended sysctl's:
net.enc.in.ipsec_bpf_mask=2
net.enc.in.ipsec_filter_mask=2
net.enc.out.ipsec_bpf_mask=1
net.enc.out.ipsec_filter_mask=1
[...]
I'm willing to test more kernel patches, but I can't install head.
Hey Kyle,
Thanks for lending a hand. I tested a few myself last night but had no
luck. This morning I received an email off list that pointed to a patch
that was merged to 10 stable. It sounds promising ...
Log:
Merge r263091: fix mbuf flags clash that lead to failure of operation
of IPSEC and packet filters.
https://lists.freebsd.org/pipermail/svn-src-stable-10/2014-March/001111.html
I won't have a chance to try it until after business hours tonight, but
will report back to the list with my results. Alternately, I assume you
also could upgrade to 10.1-RC2 as the MFC for this patch happened back
in March. I may go this route myself and then bump up to RELEASE in a
few weeks when it happens.
Thanks,
-Matthew
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
