Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 26 Jun 2012 09:26:37 GMT
From:      Sakuma Takayuki <sakuma.takayuki@jp.fujitsu.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/169438: [ipsec] ipv4-in-ipv6 tunnel mode IPsec does not work
Message-ID:  <201206260926.q5Q9QbZn030158@red.freebsd.org>
Resent-Message-ID: <201206260930.q5Q9U7i4040807@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         169438
>Category:       kern
>Synopsis:       [ipsec] ipv4-in-ipv6 tunnel mode IPsec does not work
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 26 09:30:07 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Sakuma Takayuki
>Release:        9.0-RELEASE
>Organization:
>Environment:
FreeBSD freebsd9 9.0-RELEASE FreeBSD 9.0-RELEASE #2: Tue Jun 26 17:01:53 JST 2012     root@freebsd9:/sys/i386/compile/IPSEC  i386
>Description:
Sending IPv4 packet by tunnel mode IPsec of IPv6 transport does not work.
No packet is sent.
>How-To-Repeat:
set SPD and SAD by 'setkey -c' as follows:

spdadd 192.0.2.1/32[any] 198.51.100.1/32[any] any -P out ipsec esp/tunnel/2001:db8:c000:200::1-2001:db8:c633:6400::1/require;
add 2001:db8:c000:200::2 2001:db8:c633:6400::1 esp 0x10001 -m tunnel -E des-cbc 0x2001db8c000ffff;

interface address and routes are set up appropriately.
>Fix:
quick hack:

*** sys/netipsec/ipsec_output.c.orig    2012-06-26 18:25:11.000000000 +0900
--- sys/netipsec/ipsec_output.c 2012-06-26 17:01:38.000000000 +0900
***************
*** 575,582 ****
         */
        if (sav->tdb_xform->xf_type != XF_IP4) {
                ip = mtod(m, struct ip *);
!               i = ip->ip_hl << 2;
!               off = offsetof(struct ip, ip_p);
                error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off);
        } else {
                error = ipsec_process_done(m, isr);
--- 575,587 ----
         */
        if (sav->tdb_xform->xf_type != XF_IP4) {
                ip = mtod(m, struct ip *);
!               if (ip->ip_v == 6) {
!                       i = sizeof(struct ip6_hdr);
!                       off = offsetof(struct ip6_hdr, ip6_nxt);
!               } else {
!                       i = ip->ip_hl << 2;
!                       off = offsetof(struct ip, ip_p);
!               }
                error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off);
        } else {
                error = ipsec_process_done(m, isr);


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201206260926.q5Q9QbZn030158>