Date: Sat, 6 Feb 2010 20:50:05 GMT From: Eugene Grosbein <eugen@grosbein.pp.ru> To: freebsd-net@FreeBSD.org Subject: Re: kern/143593: [ipsec] When using IPSec, tcpdump doesn't show outgoing packets on gif interface Message-ID: <201002062050.o16Ko5cT063017@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/143593; it has been noted by GNATS. From: Eugene Grosbein <eugen@grosbein.pp.ru> To: Vadim Fedorenko <junk@fromru.com> Cc: bug-followup@freebsd.org Subject: Re: kern/143593: [ipsec] When using IPSec, tcpdump doesn't show outgoing packets on gif interface Date: Sat, 06 Feb 2010 13:21:37 +0700 Hi! This is not a bug but some misunderstanding how IPSEC tunnel mode works. You need not use gif tunnel and IPSEC tunnel at once. You should use IPSEC transport mode with gif or IPSEC tunnel mode without gif. In fact, for IPSEC tunnel mode your kernel encrypts and encapsulates outgoing packets before it chooses outgoing interface. And IPSEC-encapsulated packet already has B.B.B.B as destination IP so it is not routed to your gif-tunnel. Instead, it is routed to your real network interface, therefore tcpdump -i gif0 does not show it. Just change your IPSEC configuration to transport mode keeping your gif configuration unchanged. Then outgoing packets will be routed to gif0 by means of routing table (and not by IPSEC tunnel mode config) and tcpdump will show them. Gif tunnel will encapsulate them and only then they will be encrypted with IPSEC and sent. I suggest this PR be closed. Please ask this type of questions in the lists first.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201002062050.o16Ko5cT063017>