Date: Fri, 07 Feb 2014 13:40:40 +0000 From: Nicolas DEFFAYET <nicolas-ml@deffayet.com> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: freebsd-net@freebsd.org Subject: Re: IPsec filtertunnel broken on FreeBSD 10 Message-ID: <1391780440.28112.2.camel@srv31.corp.novso.com> In-Reply-To: <1391777078.27201.2.camel@srv31.corp.novso.com> References: <1391725273.22934.16.camel@fr-wks3.corp.novso.com> <52F4C41B.3030101@yandex.ru> <1391777078.27201.2.camel@srv31.corp.novso.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 2014-02-07 at 12:44 +0000, Nicolas DEFFAYET wrote: Hello Andrey, Hum, after long time (more than 30 secs), I finish by seeing packets exchange on FreeBSD 10-RELEASE 13:32:46.135752 (authentic,confidential): SPI 0x06bb885e: IP ipwan-remote > ipwan-local: GREv0, length 64: IP iptunnel-remote.20044 > iptunnel-local.22: Flags [S], seq 209981237, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1966114362 ecr 0], length 0 13:32:46.135852 (authentic,confidential): SPI 0x0ebc5f9b: IP ipwan-local > ipwanremote: GREv0, length 64: IP iptunnel-local.22 > iptunnel-remote.20044: Flags [S.], seq 2240012658, ack 209981238, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 3945107127 ecr 1966114362], length 0 Don't know why it's so long (i use flag -n in tcpdump for disable name resolution). So peoples don't seeing packets exchange on enc0 are may be impatient like me. But the problem is still here, as you can see bellow: ipfw 00100 allow log logamount 100 ip from any to any via gre3 => packets not seen by rules100 as nothing in log and nothing in counters pf @0 pass log quick on gre3 all flags S/SA keep state => packets not seen by rule 0 as nothing in log and nothing in counters For generate this packets, I use ICMP echo-ping/echo-reply and a SSH client-server (TCP 22). Of course, i have tested to change gre3 to em0 for make sure that ipfw and pf logging works. On FreeBSD 10.0-RELEASE - packets are visible on enc0 in both direction with default net.enc settings if you are patient - ipfw don't see the incoming packet as no match - pf don't see the incoming packet as no match On FreeBSD 9.1-RELEASE everything work fine with same configuration Gleb Smirnoff wrote (http://lists.freebsd.org/pipermail/freebsd-stable/2014-January/076903.html): "nothing has changed in pf in regards to its ipsec handling" So the bug _seem_ to be related to ipsec as both ipfw and pf don't see the packet. Thanks -- Nicolas DEFFAYET
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1391780440.28112.2.camel>