traceroute request timed out while through ipsec ipip tunnel. network1(172.16.0.0/24)<->server1(172.16.0.254)<-gif->server2(10.0.0.254)<->network2(10.0.0.0/24) Without ipsec, traceroute from one network to other, everything is ok. 1 <1 ms <1 ms <1 ms 172.16.0.254 2 100 ms 100 ms 100 ms 10.0.0.254 3 100 ms 100 ms 100 ms 10.0.0.1 With ipsec, the second hop shown request timed out. 1 <1 ms <1 ms <1 ms 172.16.0.254 2 * * * Request timed out. 3 100 ms 100 ms 100 ms 10.0.0.1 # ipsec.conf spdflush; spdadd 172.16.0.254/32 10.0.0.254/32 ipencap -P out ipsec esp/transport//require; spdadd 10.0.0.254/32 172.16.0.254/32 ipencap -P in ipsec esp/transport//require; flush; add 172.16.0.254 10.0.0.254 esp 10001 -E blowfish-cbc "123456"; add 10.0.0.254 172.16.0.254 esp 10002 -E blowfish-cbc "123456"; This bug effects either transport or tunnel mode ipsec, also in 6in4 tunnel, traceroute6. How-To-Repeat: Setup gif tunnel with ipsec, and traceroute/traceroute6.
Responsible Changed From-To: freebsd-bugs->freebsd-net Over to maintainer(s).
Responsible Changed From-To: freebsd-net->ae Take it.
A commit references this bug: Author: ae Date: Wed Oct 8 21:23:35 UTC 2014 New revision: 272770 URL: https://svnweb.freebsd.org/changeset/base/272770 Log: When tunneling interface is going to insert mbuf into netisr queue after stripping outer header, consider it as new packet and clear the protocols flags. This fixes problems when IPSEC traffic goes through various tunnels and router doesn't send ICMP/ICMPv6 errors. PR: 174602 Obtained from: Yandex LLC MFC after: 2 weeks Sponsored by: Yandex LLC Changes: head/sys/net/if_gif.c head/sys/netinet/ip_gre.c
Patched in head/.
A commit references this bug: Author: ae Date: Thu Oct 30 13:53:58 UTC 2014 New revision: 273859 URL: https://svnweb.freebsd.org/changeset/base/273859 Log: MFC r272770: When tunneling interface is going to insert mbuf into netisr queue after stripping outer header, consider it as new packet and clear the protocols flags. This fixes problems when IPSEC traffic goes through various tunnels and router doesn't send ICMP/ICMPv6 errors. PR: 174602 Sponsored by: Yandex LLC Changes: _U stable/10/ stable/10/sys/net/if_gif.c stable/10/sys/netinet/ip_gre.c
A commit references this bug: Author: ae Date: Thu Oct 30 13:59:30 UTC 2014 New revision: 273860 URL: https://svnweb.freebsd.org/changeset/base/273860 Log: MFC r272770 (modified version): When tunneling interface is going to insert mbuf into netisr queue after stripping outer header, consider it as new packet and clear the protocols flags. This fixes problems when IPSEC traffic goes through various tunnels and router doesn't send ICMP/ICMPv6 errors. PR: 174602 Sponsored by: Yandex LLC Changes: _U stable/9/sys/ _U stable/9/sys/net/ stable/9/sys/net/if_gif.c stable/9/sys/netinet/ip_gre.c
It should be fixed in 10-STABLE and head/.
Close PRs that have had a corresponding fix committed.
After upgrade from 10.1 to 10.2, bug again. The patch was MFC to 10.2-RELEASE, but something break it.
Oh no, IPSEC on 10.2-RELEASE break gif a lot! tcpdump on gif with ipsec enabled, only output packets are captured. ipv6 in gif tunnel with ipsec enabled is completed broken. Everything is ok while ipsec disabled. I have to replace it with GRE tunnel if ipsec enabled.
I believe all problems with IPsec+gif/gre tunnels were fixed in 11.0+.