From owner-freebsd-stable Tue Nov 19 11:42:16 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AA0837B413 for ; Tue, 19 Nov 2002 11:42:11 -0800 (PST) Received: from gvr.gvr.org (gvr.gvr.org [212.61.40.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0997943E6E for ; Tue, 19 Nov 2002 11:41:52 -0800 (PST) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id 8E1B1296; Tue, 19 Nov 2002 20:41:50 +0100 (CET) Date: Tue, 19 Nov 2002 20:41:50 +0100 From: Guido van Rooij To: Archie Cobbs Cc: David Kelly , Scott Ullrich , "'greg.panula@dolaninformation.com'" , FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS Message-ID: <20021119194150.GA43806@gvr.gvr.org> References: <20021119150826.GA42097@gvr.gvr.org> <200211191856.gAJIuPf6056699@arch20m.dellroad.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200211191856.gAJIuPf6056699@arch20m.dellroad.org> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Nov 19, 2002 at 10:56:25AM -0800, Archie Cobbs wrote: > Guido van Rooij wrote: > > > The problem is that while ESP packets arrive to be processed by > > > IPsec just fine thru my ipfw rules, when the packets are de-encrypted > > > and re-inserted into the kernel they appear to ipfw to be coming from > > > my external interface (the one they arrived on via ESP). tcpdump can't > > > find them (decrypted) on the external interface. > > I think the bug is that in esp4_input() the "detunneled" packet > is placed back onto the IP input queue 'ipintrq' without the > 'm->m_pkthdr.rcvif' being updated to point to the gif interface. There is no gif interface in that case. Argh. In the ESP tunnel case, the packet is decrypted and the payload is placed on the ipintrq indeed. The problem here is that there is a de-tunneled packet that has no new interface associated. What a mess :-( I now understand why having a dedicated interface for these packets is coming from. A quick work around for people is to use a gif device and have a transport policy for the tunnel endpoints. Then filter ESP on the physical interface and filter on content on the gif interface. (or allow anything in to remain compatible with the ol (IMHO broken) behaviour). So suppose you had the following policy: esp/tunnel/192.168.100.2-192.168.100.1/require then: 1) change that to esp/transport/192.168.100.2-192.168.100.1/require 2) add a gif device on 192.168.100.2 with: gifconfig gif0 create gifconfig 192.168.100.2 192.168.100.1 ifconfig gif0 10.0.0.1 10.0.0.2 3) add a gif device on 192.168.100.1 with: gifconfig gif0 create gifconfig 192.168.100.1 192.168.100.2 ifconfig gif0 10.0.0.2 10.0.0.1 A real solution would be to introduce a new device, esp0 or something to which all ESP decapsulations are send _from tunnel SA's only_. This esp0 would do nothing more then set the rcvif field in the mbuf and put the packet on ipintrq. The old behaviour with ipsec history is wrong and was a hack to get around the problems you people are seeing right now. Comments welcome -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message