Site Navigation

Date:      Fri, 07 Feb 2014 19:26:42 +0100
From:      Nicolas DEFFAYET <nicolas-ml@deffayet.com>
To:        Mike Tancsa <mike@sentex.net>
Cc:        freebsd-net@freebsd.org, "Andrey V. Elsukov" <bu7cher@yandex.ru>
Subject:   Re: IPsec filtertunnel broken on FreeBSD 10
Message-ID:  <1391797602.26050.2.camel@fr-wks3.corp.novso.com>
In-Reply-To: <52F4F24A.5000202@sentex.net>
References:  <1391725273.22934.16.camel@fr-wks3.corp.novso.com> <52F4C41B.3030101@yandex.ru> <1391777078.27201.2.camel@srv31.corp.novso.com> <1391780440.28112.2.camel@srv31.corp.novso.com> <52F4F24A.5000202@sentex.net>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Fri, 2014-02-07 at 09:48 -0500, Mike Tancsa wrote:

Hello Mike,

> On 2/7/2014 8:40 AM, Nicolas DEFFAYET wrote:
> >
> >
> > So the bug _seem_ to be related to ipsec as both ipfw and pf don't see
> > the packet.
> 
> 
> If you do a
> tcpdump -s0 -nvei enc0
> 
> do you see decapsulated ipsec traffic ?

Yes:

ICMP ping
18:17:46.694009 (authentic,confidential): SPI 0x0407cfca: (tos 0x0, ttl
25, id 50699, offset 0, flags [none], proto GRE (47), length 108)
    ipwan-remote > ipwan-local: GREv0, Flags [none], proto IPv4
(0x0800), length 88
(tos 0x0, ttl 64, id 50699, offset 0, flags [none], proto ICMP (1),
length 84)
    iptunnel-remote > iptunnel-local: ICMP echo request, id 44530, seq
0, length 64
18:17:46.694074 (authentic,confidential): SPI 0x0ad42248: (tos 0x0, ttl
30, id 55848, offset 0, flags [none], proto GRE (47), length 108, bad
cksum 0 (->c314)!)
    ipwan-local > ipwan-remote: GREv0, Flags [none], proto IPv4
(0x0800), length 88
(tos 0x0, ttl 64, id 55848, offset 0, flags [none], proto ICMP (1),
length 84)
    iptunnel-local > iptunnel-remote: ICMP echo reply, id 44530, seq 0,
length 64
18:17:46.694087 (authentic,confidential): SPI 0x0ad42248: (tos 0x0, ttl
30, id 55848, offset 0, flags [none], proto GRE (47), length 108, bad
cksum 0 (->c314)!)
    ipwan-local > ipwan-remote: GREv0, Flags [none], proto IPv4
(0x0800), length 88
(tos 0x0, ttl 64, id 55848, offset 0, flags [none], proto ICMP (1),
length 84)
    iptunnel-local > iptunnel-remote: ICMP echo reply, id 44530, seq 0,
length 64
18:17:47.696307 (authentic,confidential): SPI 0x0407cfca: (tos 0x0, ttl
25, id 50716, offset 0, flags [none], proto GRE (47), length 108)
    ipwan-remote > ipwan-local: GREv0, Flags [none], proto IPv4
(0x0800), length 88
(tos 0x0, ttl 64, id 50716, offset 0, flags [none], proto ICMP (1),
length 84)
    iptunnel-remote > iptunnel-local: ICMP echo request, id 44530, seq
1, length 64
18:17:47.696373 (authentic,confidential): SPI 0x0ad42248: (tos 0x0, ttl
30, id 55859, offset 0, flags [none], proto GRE (47), length 108, bad
cksum 0 (->c309)!)
    ipwan-local > ipwan-remote: GREv0, Flags [none], proto IPv4
(0x0800), length 88
(tos 0x0, ttl 64, id 55859, offset 0, flags [none], proto ICMP (1),
length 84)
    iptunnel-local > iptunnel-remote: ICMP echo reply, id 44530, seq 1,
length 64
18:17:47.696383 (authentic,confidential): SPI 0x0ad42248: (tos 0x0, ttl
30, id 55859, offset 0, flags [none], proto GRE (47), length 108, bad
cksum 0 (->c309)!)
    ipwan-local > ipwan-remote: GREv0, Flags [none], proto IPv4
(0x0800), length 88
(tos 0x0, ttl 64, id 55859, offset 0, flags [none], proto ICMP (1),
length 84)
    iptunnel-local > iptunnel-remote: ICMP echo reply, id 44530, seq 1,
length 64


TCP 22
18:20:46.388423 (authentic,confidential): SPI 0x0407cfca: (tos 0x0, ttl
25, id 54835, offset 0, flags [none], proto GRE (47), length 84)
    ipwan-remote > ipwan-local: GREv0, Flags [none], proto IPv4
(0x0800), length 64
(tos 0x10, ttl 64, id 54835, offset 0, flags [DF], proto TCP (6), length
60)
    iptunnel-remote.11054 > iptunnel-local.22: Flags [S], cksum 0xea60
(correct), seq 1449355022, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 1985194722 ecr 0], length 0
18:20:46.388508 (authentic,confidential): SPI 0x0ad42248: (tos 0x0, ttl
30, id 56146, offset 0, flags [none], proto GRE (47), length 84, bad
cksum 0 (->c202)!)
    ipwan-local > ipwan-remote: GREv0, Flags [none], proto IPv4
(0x0800), length 64
(tos 0x0, ttl 64, id 56146, offset 0, flags [DF], proto TCP (6), length
60)
    iptunnel-local.22 > iptunnel-remote.11054: Flags [S.], cksum 0xfbdf
(correct), seq 2705433943, ack 1449355023, win 65535, options [mss
1460,nop,wscale 6,sackOK,TS val 2909993571 ecr 1985194722], length 0
18:20:46.388562 (authentic,confidential): SPI 0x0ad42248: (tos 0x0, ttl
30, id 56146, offset 0, flags [none], proto GRE (47), length 84, bad
cksum 0 (->c202)!)
    ipwan-local > ipwan-remote: GREv0, Flags [none], proto IPv4
(0x0800), length 64
(tos 0x0, ttl 64, id 56146, offset 0, flags [DF], proto TCP (6), length
60)
    iptunnel-local.22 > iptunnel-remote.11054: Flags [S.], cksum 0xfbdf
(correct), seq 2705433943, ack 1449355023, win 65535, options [mss
1460,nop,wscale 6,sackOK,TS val 2909993571 ecr 1985194722], length 0
18:20:46.396379 (authentic,confidential): SPI 0x0407cfca: (tos 0x0, ttl
25, id 54837, offset 0, flags [none], proto GRE (47), length 76)
    ipwan-remote > ipwan-local: GREv0, Flags [none], proto IPv4
(0x0800), length 56
(tos 0x10, ttl 64, id 54837, offset 0, flags [DF], proto TCP (6), length
52)
    iptunnel-remote.11054 > iptunnel-local.22: Flags [.], cksum 0x2693
(correct), ack 1, win 1040, options [nop,nop,TS val 1985194730 ecr
2909993571], length 0
18:20:46.428010 (authentic,confidential): SPI 0x0ad42248: (tos 0x0, ttl
30, id 56149, offset 0, flags [none], proto GRE (47), length 110, bad
cksum 0 (->c1e5)!)
    ipwan-local > ipwan-remote: GREv0, Flags [none], proto IPv4
(0x0800), length 90
(tos 0x0, ttl 64, id 56149, offset 0, flags [DF], proto TCP (6), length
86)
    iptunnel-local.22 > iptunnel-remote.11054: Flags [P.], cksum 0xb16d
(correct), seq 1:35, ack 1, win 1040, options [nop,nop,TS val 2909993610
ecr 1985194730], length 34
18:20:46.428024 (authentic,confidential): SPI 0x0ad42248: (tos 0x0, ttl
30, id 56149, offset 0, flags [none], proto GRE (47), length 110, bad
cksum 0 (->c1e5)!)
    ipwan-local > ipwan-remote: GREv0, Flags [none], proto IPv4
(0x0800), length 90
(tos 0x0, ttl 64, id 56149, offset 0, flags [DF], proto TCP (6), length
86)
    iptunnel-local.22 > iptunnel-remote.11054: Flags [P.], cksum 0xb16d
(correct), seq 1:35, ack 1, win 1040, options [nop,nop,TS val 2909993610
ecr 1985194730], length 34
18:20:46.536017 (authentic,confidential): SPI 0x0407cfca: (tos 0x0, ttl
25, id 54840, offset 0, flags [none], proto GRE (47), length 76)
    ipwan-remote > ipwan-local: GREv0, Flags [none], proto IPv4
(0x0800), length 56
(tos 0x10, ttl 64, id 54840, offset 0, flags [DF], proto TCP (6), length
52)
    iptunnel-remote.11054 > iptunnel-local.22: Flags [.], cksum 0x25be
(correct), ack 35, win 1040, options [nop,nop,TS val 1985194870 ecr
2909993610], length 0


But nothing hit the firewall for the incoming traffic.

I have tested both ipfw and pf as pf have been rewritten in FreeBSD.


Many thanks

-- 
Nicolas DEFFAYET

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1391797602.26050.2.camel>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact