From owner-freebsd-net@FreeBSD.ORG  Sat Feb  6 20:50:05 2010
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4E71C1065679
	for <freebsd-net@hub.freebsd.org>; Sat,  6 Feb 2010 20:50:05 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 3B4328FC08
	for <freebsd-net@hub.freebsd.org>; Sat,  6 Feb 2010 20:50:05 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o16Ko5YC063018
	for <freebsd-net@freefall.freebsd.org>; Sat, 6 Feb 2010 20:50:05 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o16Ko5cT063017;
	Sat, 6 Feb 2010 20:50:05 GMT (envelope-from gnats)
Date: Sat, 6 Feb 2010 20:50:05 GMT
Message-Id: <201002062050.o16Ko5cT063017@freefall.freebsd.org>
To: freebsd-net@FreeBSD.org
From: Eugene Grosbein <eugen@grosbein.pp.ru>
Cc: 
Subject: Re: kern/143593: [ipsec] When using IPSec,
 tcpdump doesn't show outgoing packets on gif interface
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Eugene Grosbein <eugen@grosbein.pp.ru>
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Feb 2010 20:50:05 -0000

The following reply was made to PR kern/143593; it has been noted by GNATS.

From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: Vadim Fedorenko <junk@fromru.com>
Cc: bug-followup@freebsd.org
Subject: Re: kern/143593: [ipsec] When using IPSec, tcpdump doesn't show outgoing
 packets on gif interface
Date: Sat, 06 Feb 2010 13:21:37 +0700

 Hi!
 
 This is not a bug but some misunderstanding how IPSEC tunnel mode works.
 You need not use gif tunnel and IPSEC tunnel at once.
 You should use IPSEC transport mode with gif or IPSEC tunnel mode
 without gif.
 
 In fact, for IPSEC tunnel mode your kernel encrypts and encapsulates
 outgoing packets
 before it chooses outgoing interface. And IPSEC-encapsulated packet already
 has B.B.B.B as destination IP so it is not routed to your gif-tunnel.
 Instead, it is routed to your real network interface, therefore tcpdump
 -i gif0 does not show it.
 
 Just  change your IPSEC configuration to transport mode
 keeping your gif configuration unchanged.
 Then outgoing packets will be routed to gif0 by means of routing table
 (and not by IPSEC tunnel mode config) and tcpdump will show them.
 Gif tunnel will encapsulate them and only then they will be encrypted
 with IPSEC and sent.
 
 I suggest this PR be closed. Please ask this type of questions in the
 lists first.