Bug 174602

Summary:	[gif] [ipsec] traceroute issue on gif tunnel with ipsec
Product:	Base System	Reporter:	hunreal
Component:	kern	Assignee:	Andrey V. Elsukov <ae>
Status:	Closed Overcome By Events
Severity:	Affects Only Me	CC:	delphij, re
Priority:	Normal	Keywords:	regression
Version:	10.2-RELEASE	Flags:	bugmeister: mfc-stable10? bugmeister: mfc-stable9? bugmeister: mfc-stable8?
Hardware:	amd64
OS:	Any
See Also:	https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228108

Description hunreal 2012-12-21 05:30:00 UTC

traceroute request timed out while through ipsec ipip tunnel.

network1(172.16.0.0/24)<->server1(172.16.0.254)<-gif->server2(10.0.0.254)<->network2(10.0.0.0/24)

Without ipsec, traceroute from one network to other, everything is ok.
 1    <1 ms    <1 ms    <1 ms  172.16.0.254
 2   100 ms   100 ms   100 ms  10.0.0.254
 3   100 ms   100 ms   100 ms  10.0.0.1

With ipsec, the second hop shown request timed out.
 1    <1 ms    <1 ms    <1 ms  172.16.0.254
 2     *        *        *     Request timed out.
 3   100 ms   100 ms   100 ms  10.0.0.1

# ipsec.conf
spdflush;
spdadd 172.16.0.254/32 10.0.0.254/32 ipencap -P out ipsec
esp/transport//require;
spdadd 10.0.0.254/32 172.16.0.254/32 ipencap -P in  ipsec
esp/transport//require;
flush;
add 172.16.0.254 10.0.0.254 esp 10001 -E blowfish-cbc "123456";
add 10.0.0.254 172.16.0.254 esp 10002 -E blowfish-cbc "123456";

This bug effects either transport or tunnel mode ipsec, also in 6in4 tunnel, traceroute6.

How-To-Repeat: Setup gif tunnel with ipsec, and traceroute/traceroute6.

Comment 1 Mark Linimon freebsd_committer

2012-12-21 19:03:26 UTC

Responsible Changed
From-To: freebsd-bugs->freebsd-net

Over to maintainer(s).

Comment 2 Andrey V. Elsukov freebsd_committer

2014-04-04 10:52:50 UTC

Responsible Changed
From-To: freebsd-net->ae

Take it.

Comment 3 commit-hook freebsd_committer

2014-10-08 21:23:55 UTC

A commit references this bug:

Author: ae
Date: Wed Oct  8 21:23:35 UTC 2014
New revision: 272770
URL: https://svnweb.freebsd.org/changeset/base/272770

Log:
  When tunneling interface is going to insert mbuf into netisr queue after stripping
  outer header, consider it as new packet and clear the protocols flags.

  This fixes problems when IPSEC traffic goes through various tunnels and router
  doesn't send ICMP/ICMPv6 errors.

  PR:		174602
  Obtained from:	Yandex LLC
  MFC after:	2 weeks
  Sponsored by:	Yandex LLC

Changes:
  head/sys/net/if_gif.c
  head/sys/netinet/ip_gre.c

Comment 4 Andrey V. Elsukov freebsd_committer

2014-10-08 21:25:15 UTC

Patched in head/.

Comment 5 commit-hook freebsd_committer

2014-10-30 13:54:20 UTC

A commit references this bug:

Author: ae
Date: Thu Oct 30 13:53:58 UTC 2014
New revision: 273859
URL: https://svnweb.freebsd.org/changeset/base/273859

Log:
  MFC r272770:
    When tunneling interface is going to insert mbuf into netisr queue after stripping
    outer header, consider it as new packet and clear the protocols flags.

    This fixes problems when IPSEC traffic goes through various tunnels and router
    doesn't send ICMP/ICMPv6 errors.

  PR:		174602
  Sponsored by:	Yandex LLC

Changes:
_U  stable/10/
  stable/10/sys/net/if_gif.c
  stable/10/sys/netinet/ip_gre.c

Comment 6 commit-hook freebsd_committer

2014-10-30 14:00:21 UTC

A commit references this bug:

Author: ae
Date: Thu Oct 30 13:59:30 UTC 2014
New revision: 273860
URL: https://svnweb.freebsd.org/changeset/base/273860

Log:
  MFC r272770 (modified version):
    When tunneling interface is going to insert mbuf into netisr queue after stripping
    outer header, consider it as new packet and clear the protocols flags.

    This fixes problems when IPSEC traffic goes through various tunnels and router
    doesn't send ICMP/ICMPv6 errors.

  PR:		174602
  Sponsored by:	Yandex LLC

Changes:
_U  stable/9/sys/
_U  stable/9/sys/net/
  stable/9/sys/net/if_gif.c
  stable/9/sys/netinet/ip_gre.c

Comment 7 Andrey V. Elsukov freebsd_committer

2014-11-05 09:34:53 UTC

It should be fixed in 10-STABLE and head/.

Comment 8 Glen Barber freebsd_committer

2015-07-08 18:18:22 UTC

Close PRs that have had a corresponding fix committed.

Comment 9 hunreal 2015-08-15 20:14:24 UTC

After upgrade from 10.1 to 10.2, bug again.
The patch was MFC to 10.2-RELEASE, but something break it.

Comment 10 hunreal 2015-08-25 03:36:22 UTC

Oh no, IPSEC on 10.2-RELEASE break gif a lot!

tcpdump on gif with ipsec enabled, only output packets are captured.
ipv6 in gif tunnel with ipsec enabled is completed broken.

Everything is ok while ipsec disabled.

I have to replace it with GRE tunnel if ipsec enabled.

Comment 11 Andrey V. Elsukov freebsd_committer

2019-05-20 11:32:00 UTC

I believe all problems with IPsec+gif/gre tunnels were fixed in 11.0+.