From owner-freebsd-net@FreeBSD.ORG  Wed Nov 28 07:34:34 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 26EE9D21
 for <freebsd-net@freebsd.org>; Wed, 28 Nov 2012 07:34:34 +0000 (UTC)
 (envelope-from hunreal@gmail.com)
Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com
 [209.85.217.182])
 by mx1.freebsd.org (Postfix) with ESMTP id 76E078FC13
 for <freebsd-net@freebsd.org>; Wed, 28 Nov 2012 07:34:33 +0000 (UTC)
Received: by mail-lb0-f182.google.com with SMTP id go10so10126756lbb.13
 for <freebsd-net@freebsd.org>; Tue, 27 Nov 2012 23:34:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:date:message-id:subject:from:to:content-type;
 bh=lXh4wtTP8hIGBse1ILlRqUMWYRuGRZgv9AxUWDLC5XY=;
 b=wTe9EfYAoft/4OL8qpyGRn8CPl6G3DDAjFefWd2qHuZkewO/SjvuiebdQ8pMWvNFTS
 UYCcEdutUzK16UmpoBuL32zr3DnLoM3YK8UAsSBwxPoclXj5ctdBpnL3iPGC++VJqDy+
 5O3zqPe2gbzI/Wmu+1Y77TOjB2HVyapR391LEvGfbcB+mWzB08aQIw0KBAJb/3BKpk0C
 Afaro/fD66yL3+C+VsjB65txoyugGhm+NaHIKvfQjFIsFlDJcZQrYjL5DZrwxMsgVkRl
 NAmT/C3ms7n4C3wMtlYI88xQ1LqiZ15PupZnRzVF6/BTkY4sRzzIVCXzgmGMG0mQiKc4
 lbFg==
MIME-Version: 1.0
Received: by 10.152.111.68 with SMTP id ig4mr17330995lab.50.1354088066116;
 Tue, 27 Nov 2012 23:34:26 -0800 (PST)
Received: by 10.114.23.170 with HTTP; Tue, 27 Nov 2012 23:34:26 -0800 (PST)
Date: Wed, 28 Nov 2012 15:34:26 +0800
Message-ID: <CAJrEuZY+1WzpJpGp-4WpjpAw8-SQW5UfVOHQQpExyC0NtSe9Zw@mail.gmail.com>
Subject: traceroute issue on gif tunnel with ipsec
From: hshh <hunreal@gmail.com>
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.14
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2012 07:34:34 -0000

Hi all
I setup 2 networks connected with gif tunnel.

network1(172.16.0.0/24
)<->server1(172.16.0.254)<-gif->server2(10.0.0.254)<->network2(10.0.0.0/24)

Servers are running FreeBSD 9.0-RELEASE.
If I only setup ipip tunnel without IPSEC, the traceroute works correctly.
Proper result of traceroute from network 1 to network 2
 1    <1 ms    <1 ms    <1 ms  172.16.0.254
 2   100 ms   100 ms   100 ms  10.0.0.254
 3   100 ms   100 ms   100 ms  10.0.0.1

If I enable IPSEC for gif tunnel, traceroute result is,
 1    <1 ms    <1 ms    <1 ms  172.16.0.254
 2     *        *        *     Request timed out.
 3   100 ms   100 ms   100 ms  10.0.0.1

I also tried IPSEC transport and tunnel mode, but no help.

Here is ipsec.conf
spdflush;
spdadd 172.16.0.254/32 10.0.0.254/32 ipencap -P out ipsec
esp/transport//require;
spdadd 10.0.0.254/32 172.16.0.254/32 ipencap -P in  ipsec
esp/transport//require;
flush;
add 172.16.0.254 10.0.0.254 esp 10001 -E blowfish-cbc "123456";
add 10.0.0.254 172.16.0.254 esp 10002 -E blowfish-cbc "123456";

It also effects my 6in4 tunnel, traceroute6 not works either.
Any solution for this?