From owner-freebsd-ipfw@freebsd.org Fri Dec 9 13:16:56 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3CBBDC6BD79 for ; Fri, 9 Dec 2016 13:16:56 +0000 (UTC) (envelope-from karl@denninger.net) Received: from mail.denninger.net (denninger.net [70.169.168.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E988A1802 for ; Fri, 9 Dec 2016 13:16:55 +0000 (UTC) (envelope-from karl@denninger.net) Received: from [192.168.1.40] (Karl-Desktop.Denninger.net [192.168.1.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.denninger.net (Postfix) with ESMTPSA id DE1063F56 for ; Fri, 9 Dec 2016 07:16:53 -0600 (CST) Subject: Re: IPFW problem with passing IPSEC through in-kernel NAT To: freebsd-ipfw@freebsd.org References: <099203a1-f601-bb79-548d-27c62fcbf556@denninger.net> <005b34c8-2217-fa06-5584-6999022481a3@denninger.net> <156E272C-0EFA-4A15-8544-C580AAEB6033@obsigna.com> From: Karl Denninger Message-ID: <01fbc965-f5bc-0f62-eb89-02e097e03cf7@denninger.net> Date: Fri, 9 Dec 2016 07:16:47 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <156E272C-0EFA-4A15-8544-C580AAEB6033@obsigna.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms000703010200020200040300" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2016 13:16:56 -0000 This is a cryptographically signed message in MIME format. --------------ms000703010200020200040300 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 12/9/2016 06:18, Dr. Rolf Jansen wrote: >> Am 09.12.2016 um 02:11 schrieb Karl Denninger : >> ... >> Some more information on this issue.... I suspect that something is >> getting mangled somewhere in the IP stack, perhaps related to hardware= >> checksumming or similar -- or in the ipfw code. > I had always ran into IPsec-NAT-UDP checksumming issues since I started= working with FreeBSD, that tim v8.0. With a rather simple change in the = respective kernel source file at least my issue can be resolved. This may= be related to your issue or even not, anyway, I guess it is worth to giv= e it a try. > > I am now running FreeBSD 11-RELEASE-p5. On line 462 of file /usr/src/sy= s/netinet/udp_usrreq.c, I replaced: > > if (uh->uh_sum) { > > with: > > if (uh->uh_sum && > uh->uh_dport !=3D htons(1701) && > uh->uh_dport !=3D htons(4500)) { > > This effectively skips extended UDP checksumming for certain UDP ports = -- here the L2TP and IPsec-NAT-T ports. When I investigated the issue, I = found in one related RFC, that IPsec-NAT-T isn't supposed to do UDP check= summing on the encapsulated packets anyway, and my patch enforces this be= haviour. > > Best regards > > Rolf > In this case is that I never get to the use of port 4500 (there are no packets emitted on that port that I can find); the initial key exchange on port 500 is failing, and in-kernel NAT appears to be involved in some fashion because I'm getting inside addresses that are (in some cases) not being NATted at all despite the fact that as far as I can tell they *should* be. I'm going to spend some time refactoring the IPFW rule set to compartmentalize the various paths through it more-fully. Perhaps that will shed some more light on the problem, or at least make more-reasonable an attempt to trace it. --=20 Karl Denninger karl@denninger.net /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms000703010200020200040300 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC Bl8wggZbMIIEQ6ADAgECAgEpMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJVUzEQMA4G A1UECBMHRmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3Rl bXMgTExDMRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhND dWRhIFN5c3RlbXMgTExDIENBMB4XDTE1MDQyMTAyMjE1OVoXDTIwMDQxOTAyMjE1OVowWjEL MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM TEMxHjAcBgNVBAMTFUthcmwgRGVubmluZ2VyIChPQ1NQKTCCAiIwDQYJKoZIhvcNAQEBBQAD ggIPADCCAgoCggIBALmEWPhAdphrWd4K5VTvE5pxL3blRQPyGF3ApjUjgtavqU1Y8pbI3Byg XDj2/Uz9Si8XVj/kNbKEjkRh5SsNvx3Fc0oQ1uVjyCq7zC/kctF7yLzQbvWnU4grAPZ3IuAp 3/fFxIVaXpxEdKmyZAVDhk9az+IgHH43rdJRIMzxJ5vqQMb+n2EjadVqiGPbtG9aZEImlq7f IYDTnKyToi23PAnkPwwT+q1IkI2DTvf2jzWrhLR5DTX0fUYC0nxlHWbjgpiapyJWtR7K2YQO aevQb/3vN9gSojT2h+cBem7QIj6U69rEYcEDvPyCMXEV9VcXdcmW42LSRsPvZcBHFkWAJqMZ Myiz4kumaP+s+cIDaXitR/szoqDKGSHM4CPAZV9Yh8asvxQL5uDxz5wvLPgS5yS8K/o7zDR5 vNkMCyfYQuR6PAJxVOk5Arqvj9lfP3JSVapwbr01CoWDBkpuJlKfpQIEeC/pcCBKknllbMYq yHBO2TipLyO5Ocd1nhN/nOsO+C+j31lQHfOMRZaPQykXVPWG5BbhWT7ttX4vy5hOW6yJgeT/ o3apynlp1cEavkQRS8uJHoQszF6KIrQMID/JfySWvVQ4ksnfzwB2lRomrdrwnQ4eG/HBS+0l eozwOJNDIBlAP+hLe8A5oWZgooIIK/SulUAsfI6Sgd8dTZTTYmlhAgMBAAGjgfQwgfEwNwYI KwYBBQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8vY3VkYXN5c3RlbXMubmV0Ojg4ODgw CQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIB DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUxRyULenJaFwX RtT79aNmIB/u5VkwHwYDVR0jBBgwFoAUJHGbnYV9/N3dvbDKkpQDofrTbTUwHQYDVR0RBBYw FIESa2FybEBkZW5uaW5nZXIubmV0MA0GCSqGSIb3DQEBCwUAA4ICAQBPf3cYtmKowmGIYsm6 eBinJu7QVWvxi1vqnBz3KE+HapqoIZS8/PolB/hwiY0UAE1RsjBJ7yEjihVRwummSBvkoOyf G30uPn4yg4vbJkR9lTz8d21fPshWETa6DBh2jx2Qf13LZpr3Pj2fTtlu6xMYKzg7cSDgd2bO sJGH/rcvva9Spkx5Vfq0RyOrYph9boshRN3D4tbWgBAcX9POdXCVfJONDxhfBuPHsJ6vEmPb An+XL5Yl26XYFPiODQ+Qbk44Ot1kt9s7oS3dVUrh92Qv0G3J3DF+Vt6C15nED+f+bk4gScu+ JHT7RjEmfa18GT8DcT//D1zEke1Ymhb41JH+GyZchDRWtjxsS5OBFMzrju7d264zJUFtX7iJ 3xvpKN7VcZKNtB6dLShj3v/XDsQVQWXmR/1YKWZ93C3LpRs2Y5nYdn6gEOpL/WfQFThtfnat HNc7fNs5vjotaYpBl5H8+VCautKbGOs219uQbhGZLYTv6okuKcY8W+4EJEtK0xB08vqr9Jd0 FS9MGjQE++GWo+5eQxFt6nUENHbVYnsr6bYPQsZH0CRNycgTG9MwY/UIXOf4W034UpR82TBG 1LiMsYfb8ahQJhs3wdf1nzipIjRwoZKT1vGXh/cj3gwSr64GfenURBxaFZA5O1acOZUjPrRT n3ci4McYW/0WVVA3lDGCBRMwggUPAgEBMIGWMIGQMQswCQYDVQQGEwJVUzEQMA4GA1UECBMH RmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3RlbXMgTExD MRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhNDdWRhIFN5 c3RlbXMgTExDIENBAgEpMA0GCWCGSAFlAwQCAwUAoIICTTAYBgkqhkiG9w0BCQMxCwYJKoZI hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEyMDkxMzE2NDdaME8GCSqGSIb3DQEJBDFCBEB1 OL80TyTZNmzydiO1KXDUnUwtTCli6VqQRONAvpGjBNTVVEOrvEWZlAuIyfmBM1OVF2FYShW1 1Pxfw2NDbqVzMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAK BggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYI KoZIhvcNAwICASgwgacGCSsGAQQBgjcQBDGBmTCBljCBkDELMAkGA1UEBhMCVVMxEDAOBgNV BAgTB0Zsb3JpZGExEjAQBgNVBAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1z IExMQzEcMBoGA1UEAxMTQ3VkYSBTeXN0ZW1zIExMQyBDQTEiMCAGCSqGSIb3DQEJARYTQ3Vk YSBTeXN0ZW1zIExMQyBDQQIBKTCBqQYLKoZIhvcNAQkQAgsxgZmggZYwgZAxCzAJBgNVBAYT AlVTMRAwDgYDVQQIEwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1 ZGEgU3lzdGVtcyBMTEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG 9w0BCQEWE0N1ZGEgU3lzdGVtcyBMTEMgQ0ECASkwDQYJKoZIhvcNAQEBBQAEggIAV6xcJs3t eh5AIT3cax75PSL3AhcWz7USiP1iwPVIql3jepmPzYZzSsySmcPoiZZXhf6JjM24LoxP4yyj QxH5e28Q13AjxuNANooGA7dL4P2HJzS1MqL+B3nIv4TGduYunBa4mMipFRhs+T7mThEUwWiL D1mYiBmynh0NLfBI4k8VKRSRvWwZJ1PRw1UB4LkucPnzv+RUEsT1HyL6Rj+2w4iR+PicJ0xY a8Cc2vwpkEpkHcxRagV0hCMLKsUKRg/iBfNL8w/hifQpG05OPLuWLDAuQJuYwVufcRT7KewB 575tX89JpYDadCM5w9IKQa1LH+USNnDS0yTIXpWnnGXbs+5E1CsOHt69ZbYuLVcnXqKT7PfJ KwOWjKMwD8T1AT9dq0XowTCj+X+mTf6EnlZnkjwS9c74SYYpGF3o7OlXfJ0FF66u9ppZQdRo W9CuPnq8+8PVdH46kDcqeO4Jt78wcDlHAPjnGE++nIas9dt+qCsJd0QKfN8aKZwgqxNG/0Q5 5RSrc/jy1LqsrygLZI4kTK8PS+3euHG6aVR8v9B5QMEaxs4v2K+pGVgmhPXqOCKuUtwhOOzb S5w3GSi2Xh6dKenb/mCnOi1X5LJSwtP0g5LV7VILfhfWOCkghsrbhC6LpXbmY/VfTBPtcjlN PwiFrNCGmM+HOEBpwghiyJH88mQAAAAAAAA= --------------ms000703010200020200040300--