Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 07 Mar 2018 02:57:01 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 226411] PF does not properly keep state with GRE in IPSec
Message-ID:  <bug-226411-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226411

            Bug ID: 226411
           Summary: PF does not properly keep state with GRE in IPSec
           Product: Base System
           Version: CURRENT
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: eric@edombroski.com

It appears pf keeps incorrect state for packets routed via a GRE tunnel secured
via IPSec.  GRE tunnel works correctly without IPSec, but with IPSec (transport
mode) enabled between the hosts and pf enabled, traffic does not flow as
expected.  Traffic between hosts (not going over GRE tunnel) with IPSec appears
to work as expected.

ICMP echo requests / replies and TCP SYN packets make it through, even if 
rules are put in place to prevent the traffic.  TCP replies are NOT let
through, even if rules are put in place to allow the traffic.  

When showing states with pfctl, it seems that the states are both in one
direction when using IPSec, as opposed to in opposite directions without IPSec.



CORRECT (GRE tunnel w/o IPSEC):
> pfctl -ss | grep 10.6.0.10 | grep 10.1.0.1
gre0 icmp 10.6.0.10:63271 <- 10.1.0.1:63271       0:0
vmx1 icmp 10.1.0.1:63271 -> 10.6.0.10:63271       0:0


BAD (GRE tunnel w/ IPSEC):
> pfctl -ss | grep 10.6.0.10 | grep 10.1.0.1
vmx1 icmp 10.1.0.1:588 -> 10.6.0.10:588       0:0
gre0 icmp 10.6.0.10:588 -> 10.1.0.1:588       0:0


Config:

host1 10.10.10.1 external interface, 10.6.0.1 internal interface
host2 10.10.10.2

host1 (freebsd router)
ifconfig gre0
        tunnel: inet 10.10.10.1 -> 10.10.10.2
        inet 10.1.0.1 --> 10.1.0.2 netmask 0xfffffffc

host2 (freebsd client)
ifconfig gre0
        tunnel: inet 10.10.10.2 -> 10.10.10.1
        inet 10.1.0.2 --> 10.1.0.1 netmask 0xfffffffc

host2:  route add -net 10.6.0.0/23 10.1.0.1

Originally came across this in downstream pfSense based on 11.1-RELEASE-p6, but
I've reproduced this 12-CURRENT snapshot r330034.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-226411-8>