From owner-freebsd-net@FreeBSD.ORG Fri Feb 7 13:40:42 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3CF3449A for ; Fri, 7 Feb 2014 13:40:42 +0000 (UTC) Received: from smtp.novso.com (smtp1.novso.com [IPv6:2a00:14e8:28:3::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 03D511D48 for ; Fri, 7 Feb 2014 13:40:42 +0000 (UTC) Message-ID: <1391780440.28112.2.camel@srv31.corp.novso.com> Subject: Re: IPsec filtertunnel broken on FreeBSD 10 From: Nicolas DEFFAYET To: "Andrey V. Elsukov" Date: Fri, 07 Feb 2014 13:40:40 +0000 In-Reply-To: <1391777078.27201.2.camel@srv31.corp.novso.com> References: <1391725273.22934.16.camel@fr-wks3.corp.novso.com> <52F4C41B.3030101@yandex.ru> <1391777078.27201.2.camel@srv31.corp.novso.com> Organization: DEFFAYET.COM Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.4.4-3.noclutter Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Feb 2014 13:40:42 -0000 On Fri, 2014-02-07 at 12:44 +0000, Nicolas DEFFAYET wrote: Hello Andrey, Hum, after long time (more than 30 secs), I finish by seeing packets exchange on FreeBSD 10-RELEASE 13:32:46.135752 (authentic,confidential): SPI 0x06bb885e: IP ipwan-remote > ipwan-local: GREv0, length 64: IP iptunnel-remote.20044 > iptunnel-local.22: Flags [S], seq 209981237, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1966114362 ecr 0], length 0 13:32:46.135852 (authentic,confidential): SPI 0x0ebc5f9b: IP ipwan-local > ipwanremote: GREv0, length 64: IP iptunnel-local.22 > iptunnel-remote.20044: Flags [S.], seq 2240012658, ack 209981238, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 3945107127 ecr 1966114362], length 0 Don't know why it's so long (i use flag -n in tcpdump for disable name resolution). So peoples don't seeing packets exchange on enc0 are may be impatient like me. But the problem is still here, as you can see bellow: ipfw 00100 allow log logamount 100 ip from any to any via gre3 => packets not seen by rules100 as nothing in log and nothing in counters pf @0 pass log quick on gre3 all flags S/SA keep state => packets not seen by rule 0 as nothing in log and nothing in counters For generate this packets, I use ICMP echo-ping/echo-reply and a SSH client-server (TCP 22). Of course, i have tested to change gre3 to em0 for make sure that ipfw and pf logging works. On FreeBSD 10.0-RELEASE - packets are visible on enc0 in both direction with default net.enc settings if you are patient - ipfw don't see the incoming packet as no match - pf don't see the incoming packet as no match On FreeBSD 9.1-RELEASE everything work fine with same configuration Gleb Smirnoff wrote (http://lists.freebsd.org/pipermail/freebsd-stable/2014-January/076903.html): "nothing has changed in pf in regards to its ipsec handling" So the bug _seem_ to be related to ipsec as both ipfw and pf don't see the packet. Thanks -- Nicolas DEFFAYET