> It's still broken because as mentioned at the end of the thread you > linked IPsec state gets replicated to the peer and this is causing > the "replayed" packets you're seeing. The peer already has IPsec state > in memory (created by pfsync replication) which matches incoming IPsec > packets directed at it. So the peer's IPsec stack ends up believing it's > seen the incoming packet already (while it actually hasn't seen the packet, > it just copied the IPsec state from the sender) and drops the packet. > > No good fix is known as of yet. I've given up on it for now. >
Please fix this bug or remove this example from documentation. For me this setup is broken since 2011. http://marc.info/?l=openbsd-misc&m=130624207811609&w=2 Nobody cares or nobody uses? http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/pfsync.4?query=pfsync This can be used in combination with ipsec(4) to protect the synchronisation traffic. In such a configuration, the syncdev should be set to the enc(4) interface, as this is where the traffic arrives when it is decapsulated, e.g.: # ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0 Lukasz
