Date: Sat, 6 Feb 2010 22:02:01 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: Eugene Grosbein <eugen@grosbein.pp.ru> Cc: freebsd-net@FreeBSD.org, bug-followup@FreeBSD.org, junk@fromru.com Subject: Re: kern/143593: [ipsec] When using IPSec, tcpdump doesn't show outgoing packets on gif interface Message-ID: <20100206215534.V27327@maildrop.int.zabbadoz.net> In-Reply-To: <201002062050.o16Ko5cT063017@freefall.freebsd.org> References: <201002062050.o16Ko5cT063017@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 6 Feb 2010, Eugene Grosbein wrote: Hi Eugene, > The following reply was made to PR kern/143593; it has been noted by GNATS. > > From: Eugene Grosbein <eugen@grosbein.pp.ru> > To: Vadim Fedorenko <junk@fromru.com> > Cc: bug-followup@freebsd.org > Subject: Re: kern/143593: [ipsec] When using IPSec, tcpdump doesn't show outgoing > packets on gif interface > Date: Sat, 06 Feb 2010 13:21:37 +0700 > > Hi! > > This is not a bug but some misunderstanding how IPSEC tunnel mode works. > You need not use gif tunnel and IPSEC tunnel at once. But still you could for various reasons. > You should use IPSEC transport mode with gif or IPSEC tunnel mode > without gif. > > In fact, for IPSEC tunnel mode your kernel encrypts and encapsulates > outgoing packets > before it chooses outgoing interface. And IPSEC-encapsulated packet already > has B.B.B.B as destination IP so it is not routed to your gif-tunnel. > Instead, it is routed to your real network interface, therefore tcpdump > -i gif0 does not show it. > > Just change your IPSEC configuration to transport mode > keeping your gif configuration unchanged. > Then outgoing packets will be routed to gif0 by means of routing table > (and not by IPSEC tunnel mode config) and tcpdump will show them. > Gif tunnel will encapsulate them and only then they will be encrypted > with IPSEC and sent. > > I suggest this PR be closed. Please ask this type of questions in the > lists first. While what you say ist best practise and will mitigate the problem, there is a known problem here nonetheless. I think kern/121642 was one of the original submissions and this should be marked as a duplicate and possibly migrated there. There are more slightly similar problems reported (kern/110959, ...) I think similar strange results might be seen if stacking gif and gre w/o IPsec (or maybe it was gif in gif). -- Bjoern A. Zeeb It will not break if you know what you are doing.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100206215534.V27327>