From owner-freebsd-net@FreeBSD.ORG Fri Feb 7 18:26:44 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8DAA0F62 for ; Fri, 7 Feb 2014 18:26:44 +0000 (UTC) Received: from smtp.novso.com (smtp1.novso.com [IPv6:2a00:14e8:28:3::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 3DB061AF1 for ; Fri, 7 Feb 2014 18:26:44 +0000 (UTC) Message-ID: <1391797602.26050.2.camel@fr-wks3.corp.novso.com> Subject: Re: IPsec filtertunnel broken on FreeBSD 10 From: Nicolas DEFFAYET To: Mike Tancsa Date: Fri, 07 Feb 2014 19:26:42 +0100 In-Reply-To: <52F4F24A.5000202@sentex.net> References: <1391725273.22934.16.camel@fr-wks3.corp.novso.com> <52F4C41B.3030101@yandex.ru> <1391777078.27201.2.camel@srv31.corp.novso.com> <1391780440.28112.2.camel@srv31.corp.novso.com> <52F4F24A.5000202@sentex.net> Organization: DEFFAYET.COM Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.4.4-3 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, "Andrey V. Elsukov" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Feb 2014 18:26:44 -0000 On Fri, 2014-02-07 at 09:48 -0500, Mike Tancsa wrote: Hello Mike, > On 2/7/2014 8:40 AM, Nicolas DEFFAYET wrote: > > > > > > So the bug _seem_ to be related to ipsec as both ipfw and pf don't see > > the packet. > > > If you do a > tcpdump -s0 -nvei enc0 > > do you see decapsulated ipsec traffic ? Yes: ICMP ping 18:17:46.694009 (authentic,confidential): SPI 0x0407cfca: (tos 0x0, ttl 25, id 50699, offset 0, flags [none], proto GRE (47), length 108) ipwan-remote > ipwan-local: GREv0, Flags [none], proto IPv4 (0x0800), length 88 (tos 0x0, ttl 64, id 50699, offset 0, flags [none], proto ICMP (1), length 84) iptunnel-remote > iptunnel-local: ICMP echo request, id 44530, seq 0, length 64 18:17:46.694074 (authentic,confidential): SPI 0x0ad42248: (tos 0x0, ttl 30, id 55848, offset 0, flags [none], proto GRE (47), length 108, bad cksum 0 (->c314)!) ipwan-local > ipwan-remote: GREv0, Flags [none], proto IPv4 (0x0800), length 88 (tos 0x0, ttl 64, id 55848, offset 0, flags [none], proto ICMP (1), length 84) iptunnel-local > iptunnel-remote: ICMP echo reply, id 44530, seq 0, length 64 18:17:46.694087 (authentic,confidential): SPI 0x0ad42248: (tos 0x0, ttl 30, id 55848, offset 0, flags [none], proto GRE (47), length 108, bad cksum 0 (->c314)!) ipwan-local > ipwan-remote: GREv0, Flags [none], proto IPv4 (0x0800), length 88 (tos 0x0, ttl 64, id 55848, offset 0, flags [none], proto ICMP (1), length 84) iptunnel-local > iptunnel-remote: ICMP echo reply, id 44530, seq 0, length 64 18:17:47.696307 (authentic,confidential): SPI 0x0407cfca: (tos 0x0, ttl 25, id 50716, offset 0, flags [none], proto GRE (47), length 108) ipwan-remote > ipwan-local: GREv0, Flags [none], proto IPv4 (0x0800), length 88 (tos 0x0, ttl 64, id 50716, offset 0, flags [none], proto ICMP (1), length 84) iptunnel-remote > iptunnel-local: ICMP echo request, id 44530, seq 1, length 64 18:17:47.696373 (authentic,confidential): SPI 0x0ad42248: (tos 0x0, ttl 30, id 55859, offset 0, flags [none], proto GRE (47), length 108, bad cksum 0 (->c309)!) ipwan-local > ipwan-remote: GREv0, Flags [none], proto IPv4 (0x0800), length 88 (tos 0x0, ttl 64, id 55859, offset 0, flags [none], proto ICMP (1), length 84) iptunnel-local > iptunnel-remote: ICMP echo reply, id 44530, seq 1, length 64 18:17:47.696383 (authentic,confidential): SPI 0x0ad42248: (tos 0x0, ttl 30, id 55859, offset 0, flags [none], proto GRE (47), length 108, bad cksum 0 (->c309)!) ipwan-local > ipwan-remote: GREv0, Flags [none], proto IPv4 (0x0800), length 88 (tos 0x0, ttl 64, id 55859, offset 0, flags [none], proto ICMP (1), length 84) iptunnel-local > iptunnel-remote: ICMP echo reply, id 44530, seq 1, length 64 TCP 22 18:20:46.388423 (authentic,confidential): SPI 0x0407cfca: (tos 0x0, ttl 25, id 54835, offset 0, flags [none], proto GRE (47), length 84) ipwan-remote > ipwan-local: GREv0, Flags [none], proto IPv4 (0x0800), length 64 (tos 0x10, ttl 64, id 54835, offset 0, flags [DF], proto TCP (6), length 60) iptunnel-remote.11054 > iptunnel-local.22: Flags [S], cksum 0xea60 (correct), seq 1449355022, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1985194722 ecr 0], length 0 18:20:46.388508 (authentic,confidential): SPI 0x0ad42248: (tos 0x0, ttl 30, id 56146, offset 0, flags [none], proto GRE (47), length 84, bad cksum 0 (->c202)!) ipwan-local > ipwan-remote: GREv0, Flags [none], proto IPv4 (0x0800), length 64 (tos 0x0, ttl 64, id 56146, offset 0, flags [DF], proto TCP (6), length 60) iptunnel-local.22 > iptunnel-remote.11054: Flags [S.], cksum 0xfbdf (correct), seq 2705433943, ack 1449355023, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2909993571 ecr 1985194722], length 0 18:20:46.388562 (authentic,confidential): SPI 0x0ad42248: (tos 0x0, ttl 30, id 56146, offset 0, flags [none], proto GRE (47), length 84, bad cksum 0 (->c202)!) ipwan-local > ipwan-remote: GREv0, Flags [none], proto IPv4 (0x0800), length 64 (tos 0x0, ttl 64, id 56146, offset 0, flags [DF], proto TCP (6), length 60) iptunnel-local.22 > iptunnel-remote.11054: Flags [S.], cksum 0xfbdf (correct), seq 2705433943, ack 1449355023, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2909993571 ecr 1985194722], length 0 18:20:46.396379 (authentic,confidential): SPI 0x0407cfca: (tos 0x0, ttl 25, id 54837, offset 0, flags [none], proto GRE (47), length 76) ipwan-remote > ipwan-local: GREv0, Flags [none], proto IPv4 (0x0800), length 56 (tos 0x10, ttl 64, id 54837, offset 0, flags [DF], proto TCP (6), length 52) iptunnel-remote.11054 > iptunnel-local.22: Flags [.], cksum 0x2693 (correct), ack 1, win 1040, options [nop,nop,TS val 1985194730 ecr 2909993571], length 0 18:20:46.428010 (authentic,confidential): SPI 0x0ad42248: (tos 0x0, ttl 30, id 56149, offset 0, flags [none], proto GRE (47), length 110, bad cksum 0 (->c1e5)!) ipwan-local > ipwan-remote: GREv0, Flags [none], proto IPv4 (0x0800), length 90 (tos 0x0, ttl 64, id 56149, offset 0, flags [DF], proto TCP (6), length 86) iptunnel-local.22 > iptunnel-remote.11054: Flags [P.], cksum 0xb16d (correct), seq 1:35, ack 1, win 1040, options [nop,nop,TS val 2909993610 ecr 1985194730], length 34 18:20:46.428024 (authentic,confidential): SPI 0x0ad42248: (tos 0x0, ttl 30, id 56149, offset 0, flags [none], proto GRE (47), length 110, bad cksum 0 (->c1e5)!) ipwan-local > ipwan-remote: GREv0, Flags [none], proto IPv4 (0x0800), length 90 (tos 0x0, ttl 64, id 56149, offset 0, flags [DF], proto TCP (6), length 86) iptunnel-local.22 > iptunnel-remote.11054: Flags [P.], cksum 0xb16d (correct), seq 1:35, ack 1, win 1040, options [nop,nop,TS val 2909993610 ecr 1985194730], length 34 18:20:46.536017 (authentic,confidential): SPI 0x0407cfca: (tos 0x0, ttl 25, id 54840, offset 0, flags [none], proto GRE (47), length 76) ipwan-remote > ipwan-local: GREv0, Flags [none], proto IPv4 (0x0800), length 56 (tos 0x10, ttl 64, id 54840, offset 0, flags [DF], proto TCP (6), length 52) iptunnel-remote.11054 > iptunnel-local.22: Flags [.], cksum 0x25be (correct), ack 35, win 1040, options [nop,nop,TS val 1985194870 ecr 2909993610], length 0 But nothing hit the firewall for the incoming traffic. I have tested both ipfw and pf as pf have been rewritten in FreeBSD. Many thanks -- Nicolas DEFFAYET