Hi, I've tested IPsec connections in my lab. The setup looks like this:
[cli] <-- vlan10 --> [gw1] <----> [inet] <----> [gw2] <-- vlan20 --> [srv] ========IPsec========= During the testing I think I've found a flaw in ipsec.conf(5). According to the man page the esp packets need to be passed on interface sk0: block on sk0 block on enc0 pass in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \ port {500, 4500} pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \ port {500, 4500} pass in on sk0 proto esp from 192.168.3.2 to 192.168.3.1 pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2 My test setup didn't allow communication between [cli] and [srv]. Checking the reason on [gw1] using tcpdump -nettti pflog0 shows that esp packets are blocked by pf on enc0. So I included the interface enc0 in the pass rules for esp packets. After this the connections work as expected. As a result of my tests I've created the diff below for ipsec.conf(5). Is this ok or did I miss something? Cheers, Bruno Index: sbin/ipsecctl/ipsec.conf.5 =================================================================== RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v retrieving revision 1.151 diff -u -p -r1.151 ipsec.conf.5 --- sbin/ipsecctl/ipsec.conf.5 9 Dec 2015 21:41:50 -0000 1.151 +++ sbin/ipsecctl/ipsec.conf.5 24 May 2016 08:24:49 -0000 @@ -513,8 +513,8 @@ pass in on sk0 proto udp from 192.168.3 pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \e port {500, 4500} -pass in on sk0 proto esp from 192.168.3.2 to 192.168.3.1 -pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2 +pass in on {sk0 enc0} proto esp from 192.168.3.2 to 192.168.3.1 +pass out on {sk0 enc0} proto esp from 192.168.3.1 to 192.168.3.2 pass in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e keep state (if-bound)