Date: Fri, 12 Apr 2002 08:20:39 -0400 From: "Mark Uhrmacher" <maui@alum.mit.edu> To: <freebsd-questions@FreeBSD.ORG> Subject: gif device checksum problem Message-ID: <008701c1e21c$758ef7b0$0104a8c0@controlcenter>
next in thread | raw e-mail | index | archive | help
Hi all,
Basically, I'm trying to setup an IPSEC-based VPN between two LANs
that use cable modems to connect to the Internet. In both cases the
internal LANs are behind "residential gateways" that provide NAT and
some limited firewall services. For the first step, however, I'm
attempting to get an IPv4-in-IPv4 tunnel working.
Both of these gateways are configured to shunt all traffic from the
external interface over to the FreeBSD box on their internal network
described below. So, they don't filter but they do change the
destination IP address on all packets to the internal address. Note
this is the only way (I've found) to get non-TCP/UDP IP traffic coming
from the Internet through these gateways.
Both FreeBSD boxes are running 4.5 with a kernel
enhanced with the following four lines added to the GENERIC kernel:
# IPSec configuration params added by maui 2-Apr-2002
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG
device gif 4 # tunnel for ipsec
The configuration:
NOTE: the external addresses for these setups have been changed to the
alphabetic addresses a.b.c.d and e.f.g.h
+------------+ +---------+
| | 192. | |
| freebsd-hp +-- 168.-+ Netgear +--a.b.c.d---+
| | 4.2 | RT-314 | |
+------------+ +---------+ |
Internet
+------------+ +---------+ |
| | 192. | | |
| unixserver +-- 168.-+ D-Link +--e.f.g.h---+
| | 0. | DI-713P |
+------------+ 174 +---------+
I've configured tunnels as described below:
freebsd-hp# gifconfig -a
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet6 fe80::2a0:c9ff:fe73:e269%gif0 prefixlen 64
inet 192.168.4.2 --> 192.168.0.174 netmask 0xffffff00
physical address inet 192.168.4.2 --> e.f.g.h
unixserver# gifconfig -a
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet 192.168.0.174 --> 192.168.4.2 netmask 0xffffff00
inet6 fe80::2b0:d0ff:fe29:d3be%gif0 prefixlen 64
physical address inet 192.168.0.174 --> a.b.c.d
After I did this I attempted pings in both directions. When that
didn't work I started to do a little debugging with tcpdump and found
some very interesting data.
When pinging from freebsd-hp (192.168.4.2) to unixserver
(192.168.0.174) I get the following output from tcpdump on both hosts:
-- output --
freebsd-hp# tcpdump -vvv -n dst host e.f.g.h or src host e.f.g.h
tcpdump: listening on fxp0
07:54:16.213186 192.168.4.2 > e.f.g.h: 192.168.4.2 > 192.168.0.174:
icmp: echo request (ttl 64, id 54896, len 84) (ttl 30, id 54897, len
104)
07:54:17.223215 192.168.4.2 > e.f.g.h: 192.168.4.2 > 192.168.0.174:
icmp: echo request (ttl 64, id 54905, len 84) (ttl 30, id 54906, len
104)
07:54:18.233106 192.168.4.2 > e.f.g.h: 192.168.4.2 > 192.168.0.174:
icmp: echo request (ttl 64, id 54908, len 84) (ttl 30, id 54909, len
104)
07:54:19.243109 192.168.4.2 > e.f.g.h: 192.168.4.2 > 192.168.0.174:
icmp: echo request (ttl 64, id 54911, len 84) (ttl 30, id 54912, len
104)
unixserver# tcpdump -vvv -n src host a.b.c.d or dst host a.b.c.d
tcpdump: listening on xl0
07:54:12.472425 a.b.c.d > 192.168.0.174: 192.168.4.2 > 192.168.0.174:
icmp: echo request (ttl 64, id 54896, len 84) (ttl 11, id 54897, len
104)
07:54:12.472497 192.168.0.174 > a.b.c.d: 192.168.0.174 > 192.168.4.2:
icmp: echo reply (ttl 64, id 14302, len 84) (ttl 30, id 14303, len 104,
bad cksum 0!)
07:54:13.482047 a.b.c.d > 192.168.0.174: 192.168.4.2 > 192.168.0.174:
icmp: echo request (ttl 64, id 54905, len 84) (ttl 11, id 54906, len
104)
07:54:13.482094 192.168.0.174 > a.b.c.d: 192.168.0.174 > 192.168.4.2:
icmp: echo reply (ttl 64, id 14306, len 84) (ttl 30, id 14307, len 104,
bad cksum 0!)
--- end output ---
So the ping request from freebsd-hp arrives at unixserver and a
response is sent. Unfortunately, it never arrives. In addition
tcpdump claims the packets send by unixserver have bad checksums. I
suspect this is the problem. It is worth noting that when pinging
from unixserver to freebsd-hp the request is lost and the ping request
packets have the bad checksums. Regular pings to the external
addresses work fine and have been verified by tcpdump not to have
checksum errors.
Also, the checksum error isn't specific to icmp. I get the same
problem with ssh between the two boxes. It seems all packets going
over the gif interface on unixserver have bad (uncalculated) checksums.
Now on the questions:
- why would taffic over the gif device not calculate checksums?
- is there some way to turn them on?
- why does one system do this and not the other? They were installed
with 4.5 about a week apart
Thanks,
Mark
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008701c1e21c$758ef7b0$0104a8c0>