From owner-freebsd-stable@freebsd.org Tue Mar 26 07:36:49 2019 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A86821567BB3 for ; Tue, 26 Mar 2019 07:36:49 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from elf.hq.norma.perm.ru (mail.norma.perm.ru [128.127.144.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.norma.perm.ru", Issuer "Vivat-Trade UNIX Root CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6B4CC83046 for ; Tue, 26 Mar 2019 07:36:41 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from bsdrookie.norma.com. ([94.50.161.126]) by elf.hq.norma.perm.ru (8.15.2/8.15.2) with ESMTPS id x2Q7QG6U092819 (version=TLSv1.2 cipher=AES128-SHA bits=128 verify=NO) for ; Tue, 26 Mar 2019 12:26:16 +0500 (+05) (envelope-from emz@norma.perm.ru) To: "freebsd-stable@freebsd.org Mailing FreeBSD-STABLE" From: "Eugene M. Zheganin" Subject: ipsec/gif(4) tunnel not working: traffic not appearing on the gif(4) interface after deciphering Message-ID: <30327deb-2d28-90e2-6069-0706f4ea5eee@norma.perm.ru> Date: Tue, 26 Mar 2019 12:26:16 +0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Server: localhost X-Rspamd-Scan-Time: 0.94 X-Rspamd-Queue-Id: 6B4CC83046 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of emz@norma.perm.ru designates 128.127.144.4 as permitted sender) smtp.mailfrom=emz@norma.perm.ru X-Spamd-Result: default: False [-3.32 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.995,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+a]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org]; DMARC_NA(0.00)[perm.ru]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE(-0.75)[asn: 57401(-3.77), country: RU(0.00)]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.01)[mail-backup.norma.perm.ru,mail.norma.perm.ru]; NEURAL_HAM_SHORT(-0.26)[-0.256,0]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:57401, ipnet:128.127.144.0/24, country:RU]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 07:36:50 -0000 Hello, I have a FreeBSD 11.1 box with 2 public IPs that has two tunnels to another FreeBSD box with 1 public IP. One of these tunnels is working, the other isn't. Long story short: I have some experience in ipsec tunnels setup. and I supposed that have configured everything properly, and to illustrate this I've loaded if_enc(4) on the 11.1 and it does show the traffic for the second gif: Here I ping the targed troublesome host (2 public IPs) from the remote (1 public IP) and the tcpdump is launched on the receiver: ===Cut=== # tcpdump -npi enc0 host 83.222.68.177 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 262144 bytes 12:00:58.218256 (authentic): SPI 0x0c00b77c: IP 188.17.155.29 > 83.222.68.177: ESP(spi=0x0ffc906c,seq=0x14c), length 132 12:00:58.218271 (authentic,confidential): SPI 0x0ffc906c: IP 188.17.155.29 > 83.222.68.177: IP 172.16.0.68 > 172.16.0.67: ICMP echo request, id 24591, seq 121, length 64 (ipip-proto-4) 12:00:59.232761 (authentic): SPI 0x0c00b77c: IP 188.17.155.29 > 83.222.68.177: ESP(spi=0x0ffc906c,seq=0x14d), length 132 12:00:59.232773 (authentic,confidential): SPI 0x0ffc906c: IP 188.17.155.29 > 83.222.68.177: IP 172.16.0.68 > 172.16.0.67: ICMP echo request, id 24591, seq 122, length 64 (ipip-proto-4) ^C 12 packets captured 574 packets received by filter 0 packets dropped by kernel ===Cut=== From this output I conclude that the IPSec is working, since kernel is able to decipher the packets. But for some mysterious reason this traffic isn't showing on the gif(4) (of course I have allowed all the traffic on the enc(4) itself), tcpdump shows nothing. If pinging in the opposite direction, tcpdump shows outgoing packets, enc(4) shows both (remote replies successfully), but once again, there's no incoming packets on the gif(4). There would be a simple answer if I would just misconfigure adressing on the gif(4), but I see no errors: ===Cut=== # ifconfig gif3 gif3: flags=8051 metric 0 mtu 1400 ššššššš description: idk2 <---> alamics ššššššš options=80000 ššššššš tunnel inet 83.222.68.177 --> 188.17.155.29 ššššššš inet 172.16.0.67 --> 172.16.0.68š netmask 0xffffffff ššššššš nd6 options=29 ššššššš groups: gif ===Cut=== Since I don't have identical tunnel IP pairs I don't need net.link.gif.parallel_tunnels (right ?),š so my final guess - either there's something around having two tunnels to the same destination or some bug in 11.1. Any ideas ? Eugene.