In the very beginning of ip6_input(): #ifdef IPSEC /* * should the inner packet be considered authentic? * see comment in ah4_input(). */ if (m) { m->m_flags &= ~M_AUTHIPHDR; m->m_flags &= ~M_AUTHIPDGM; } #endif Consider the case: a packet is encrypted as AH tunneled, and FreeBSD is the end point of the tunnel. After it tore off the outer IPv6 header, the mbuf will be inserted to NETISR again. Then ip6_forward() will be called again to process the packet. However, in ipsec6_in_reject(), the packet's source and destination will match the SP entry. Since ip6_input() has truned off the flag M_AUTHIPHDR and M_AUTHIPDGM, the packet will be dropped. I don't think with the codes AH tunnel could work properly. Fix: I think the flag should be kept! How-To-Repeat: Set IPsec rules as AH tunnel for the 2 PCs; send ICMP echo request from one end of the tunnel to the other end. However, the echo reply will never be returned since the packet is not successfully sent out.
Responsible Changed From-To: freebsd-bugs->bz mine.
Responsible Changed From-To: bz->gnn I shall not use bugzilla (at least until we will have a CLI).
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped