On Thu, Jun 18, 2015 at 03:44:24PM +0200, Łukasz Czarniecki wrote: > Hi, > > I have the same problem described here: > > http://openbsd-archive.7691.n7.nabble.com/pfsync-over-ipsec-is-broken-td257496.html#a257681 > > My system is 5.7 i386 > > I have keep state (no-sync) on all local terminated traffic (including > ipsec udp/esp) and set skip on enc in pf.conf. > > I can see only outgoing PFSync traffic (no incoming) with increasing > replayed packets received on both firewalls. > > netstat -p esp -s | grep replay > 304 possibly replayed packets received > > Does anyone have working PFSync over IPsec Setup? > > Lukasz
It's still broken because as mentioned at the end of the thread you linked IPsec state gets replicated to the peer and this is causing the "replayed" packets you're seeing. The peer already has IPsec state in memory (created by pfsync replication) which matches incoming IPsec packets directed at it. So the peer's IPsec stack ends up believing it's seen the incoming packet already (while it actually hasn't seen the packet, it just copied the IPsec state from the sender) and drops the packet. No good fix is known as of yet. I've given up on it for now.
