I'm using ipsec tunnels between 2 hosts. The first one (Host1) is running 7.2-STABLE and the second one (Host2) 6.2-RELEASE. The network topology: Host1: public A.A.A.A private 192.168.1.114 net 192.168.1.0/24 Host2: public B.B.B.B private 192.168.4.254 net 192.168.4.0/24 The tunnel configuration for Host1: gif0 tunnel A.A.A.A B.B.B.B inet 192.168.1.114 192.168.4.254 netmask 255.255.255.255 ipsec.conf: spdadd 192.168.1.0/24 192.168.4.0/24 any -P out ipsec esp/tunnel/A.A.A.A-B.B.B.B/require; spdadd 192.168.4.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/B.B.B.B-A.A.A.A/require; The tunnel configuration for Host2: gif0 tunnel B.B.B.B A.A.A.A inet 192.168.4.254 192.168.1.114 netmask 255.255.255.255 ipsec.conf: spdadd 192.168.4.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/B.B.B.B-A.A.A.A/require; spdadd 192.168.1.0/24 192.168.4.0/24 any -P in ipsec esp/tunnel/A.A.A.A-B.B.B.B/require; Pinging 192.168.1.114 from 192.168.4.254 successful: [root@Host2 /etc]# ping 192.168.1.114 PING 192.168.1.114 (192.168.1.114): 56 data bytes 64 bytes from 192.168.1.114: icmp_seq=0 ttl=64 time=19.257 ms 64 bytes from 192.168.1.114: icmp_seq=1 ttl=64 time=19.443 ms 64 bytes from 192.168.1.114: icmp_seq=2 ttl=64 time=19.709 ms but tcpdump on host1 doesn't show outgoing packets on gif0: [root@Host1 /etc]# tcpdump -ni gif0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes 03:16:49.915662 IP 192.168.4.254 > 192.168.1.114: ICMP echo request, id 61598, seq 0, length 64 03:16:50.916994 IP 192.168.4.254 > 192.168.1.114: ICMP echo request, id 61598, seq 1, length 64 03:16:51.918189 IP 192.168.4.254 > 192.168.1.114: ICMP echo request, id 61598, seq 2, length 64 03:16:52.922871 IP 192.168.4.254 > 192.168.1.114: ICMP echo request, id 61598, seq 3, length 64 How-To-Repeat: See above
Responsible Changed From-To: freebsd-bugs->freebsd-net Over to maintainer(s).
Hi! This is not a bug but some misunderstanding how IPSEC tunnel mode works. You need not use gif tunnel and IPSEC tunnel at once. You should use IPSEC transport mode with gif or IPSEC tunnel mode without gif. In fact, for IPSEC tunnel mode your kernel encrypts and encapsulates outgoing packets before it chooses outgoing interface. And IPSEC-encapsulated packet already has B.B.B.B as destination IP so it is not routed to your gif-tunnel. Instead, it is routed to your real network interface, therefore tcpdump -i gif0 does not show it. Just change your IPSEC configuration to transport mode keeping your gif configuration unchanged. Then outgoing packets will be routed to gif0 by means of routing table (and not by IPSEC tunnel mode config) and tcpdump will show them. Gif tunnel will encapsulate them and only then they will be encrypted with IPSEC and sent. I suggest this PR be closed. Please ask this type of questions in the lists first.
On Sat, 6 Feb 2010, Eugene Grosbein wrote: Hi Eugene, > The following reply was made to PR kern/143593; it has been noted by GNATS. > > From: Eugene Grosbein <eugen@grosbein.pp.ru> > To: Vadim Fedorenko <junk@fromru.com> > Cc: bug-followup@freebsd.org > Subject: Re: kern/143593: [ipsec] When using IPSec, tcpdump doesn't show outgoing > packets on gif interface > Date: Sat, 06 Feb 2010 13:21:37 +0700 > > Hi! > > This is not a bug but some misunderstanding how IPSEC tunnel mode works. > You need not use gif tunnel and IPSEC tunnel at once. But still you could for various reasons. > You should use IPSEC transport mode with gif or IPSEC tunnel mode > without gif. > > In fact, for IPSEC tunnel mode your kernel encrypts and encapsulates > outgoing packets > before it chooses outgoing interface. And IPSEC-encapsulated packet already > has B.B.B.B as destination IP so it is not routed to your gif-tunnel. > Instead, it is routed to your real network interface, therefore tcpdump > -i gif0 does not show it. > > Just change your IPSEC configuration to transport mode > keeping your gif configuration unchanged. > Then outgoing packets will be routed to gif0 by means of routing table > (and not by IPSEC tunnel mode config) and tcpdump will show them. > Gif tunnel will encapsulate them and only then they will be encrypted > with IPSEC and sent. > > I suggest this PR be closed. Please ask this type of questions in the > lists first. While what you say ist best practise and will mitigate the problem, there is a known problem here nonetheless. I think kern/121642 was one of the original submissions and this should be marked as a duplicate and possibly migrated there. There are more slightly similar problems reported (kern/110959, ...) I think similar strange results might be seen if stacking gif and gre w/o IPsec (or maybe it was gif in gif). -- Bjoern A. Zeeb It will not break if you know what you are doing.
Responsible Changed From-To: freebsd-net->ae Take it.
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
I believe all problems with IPsec+gif/gre tunnels were fixed in 11.0+.