From owner-freebsd-net Mon May 22 15:15:22 2000 Delivered-To: freebsd-net@freebsd.org Received: from guppy.evolunet.com (guppy.evolunet.com [195.154.101.161]) by hub.freebsd.org (Postfix) with ESMTP id BFA2E37B547 for ; Mon, 22 May 2000 15:15:17 -0700 (PDT) (envelope-from renaud@guppy.evolunet.com) Received: (from renaud@localhost) by guppy.evolunet.com (8.8.7/8.8.7) id AAA26890 for freebsd-net@freebsd.org; Tue, 23 May 2000 00:15:30 +0200 (CEST) (envelope-from renaud) From: Renaud Waldura Message-Id: <200005222215.AAA26890@guppy.evolunet.com> Subject: PPP dropping IPSec packets? To: freebsd-net@freebsd.org Date: Tue, 23 May 100 00:15:29 +0200 (CEST) Reply-To: renaud@evolunet.com (Renaud Waldura) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Keywords: PPP PPPoE IPSec pipsecd tunnel I'm having a problem with PPP (userland PPP) apparently dropping IPSec packets. I'm using PPP for PPPoE (DSL connection) with a tunnel interface tun0. That tun0 is bound to my ethernet interface eth0, and sends packets back and forth to the telco router. ---> tun0 ---> eth0 ---> telco ---> IP <--- tun0 <--- eth0 <--- telco <--- IP All is neat, it's working great. For info: $ ifconfig tun0 tun0: flags=8151 mtu 1492 inet 63.203.70.250 --> 63.203.71.254 netmask 0xff000000 Opened by PID 70 Now I want to setup an encrypted tunnel using pipsecd between my machine and a remote site. Pipsecd creates an interface tun1 that is ifconfig'ed with the right parameters, shared by the two sites. $ ifconfig tun1 tun1: flags=8151 mtu 1440 inet 192.168.255.14 --> 192.168.255.13 netmask 0xfffffffc Opened by PID 164 I try to ping the remote end of the encrypted link, but the packets never make it back to me. They do flow from tun1 to tun0 to eth0 to the telco router to ... to the remote site, _which_replies_ to my ICMP echo, but for some reason PPP drops the IPSec packets, they never come back up to neither tun0 (tunnel interface opened by ppp), nor to tun1 (tunnel opened by pipsecd). But they *do* make it back to the Ethernet interface, they're just not transmitted back to the tunnel tun0. Included below two tcpdumps that clearly show the problem. My local machine is 63.203.70.250, the remote site at the end of the encrypted link 24.201.61.127. I ping the remote end of the encrypted link: $ ping 192.168.255.13 and I see: # tcpdump -i eth0 -n 13:29:26.793274 PPPoE [ses 0x2f6] 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x80) 13:29:26.933926 PPPoE [ses 0x2f6] 24.201.61.127 > 63.203.70.250: ESP(spi=1001,seq=0x9c9) 13:29:27.802402 PPPoE [ses 0x2f6] 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x81) 13:29:27.923656 PPPoE [ses 0x2f6] 24.201.61.127 > 63.203.70.250: ESP(spi=1001,seq=0x9ca) ^C 4 packets received by filter 0 packets dropped by kernel # tcpdump -i tun0 -n 13:29:26.792053 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x80) 13:29:27.801794 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x81) ^C 2 packets received by filter 0 packets dropped by kernel I _did_ run the same tcpdumps at the remote site, they show the packets coming in and out. To me it looks like packets are lost at my local machine, by either the PPP code, the PPPoE code, or something else. To summarize, this is what happens: ---> tun1 ---> tun0 ---> rl0 ---> telco ----> remote site but: remote site ---> telco ---> rl0 -/***/-> tun0 ---> tun1 ---> I'm not familiar with the new Netgraph stuff, could it be involved in what's happenning? (ppp relies on ng_pppoe for doing PPPoE). Thanks a lot for any ideas on how to solve this problem, -- -- Renaud Waldura (temporarily renaud@evolunet.com) -- The Netsurfers' Organization -- 610 Clipper St. #19, San Francisco CA 94114, USA -- +1 415 642-5364 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message