Date: Wed, 07 Mar 2018 02:57:01 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 226411] PF does not properly keep state with GRE in IPSec Message-ID: <bug-226411-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226411 Bug ID: 226411 Summary: PF does not properly keep state with GRE in IPSec Product: Base System Version: CURRENT Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: eric@edombroski.com It appears pf keeps incorrect state for packets routed via a GRE tunnel sec= ured via IPSec. GRE tunnel works correctly without IPSec, but with IPSec (trans= port mode) enabled between the hosts and pf enabled, traffic does not flow as expected. Traffic between hosts (not going over GRE tunnel) with IPSec app= ears to work as expected. ICMP echo requests / replies and TCP SYN packets make it through, even if=20 rules are put in place to prevent the traffic. TCP replies are NOT let through, even if rules are put in place to allow the traffic.=20=20 When showing states with pfctl, it seems that the states are both in one direction when using IPSec, as opposed to in opposite directions without IP= Sec. CORRECT (GRE tunnel w/o IPSEC): > pfctl -ss | grep 10.6.0.10 | grep 10.1.0.1 gre0 icmp 10.6.0.10:63271 <- 10.1.0.1:63271 0:0 vmx1 icmp 10.1.0.1:63271 -> 10.6.0.10:63271 0:0 BAD (GRE tunnel w/ IPSEC): > pfctl -ss | grep 10.6.0.10 | grep 10.1.0.1 vmx1 icmp 10.1.0.1:588 -> 10.6.0.10:588 0:0 gre0 icmp 10.6.0.10:588 -> 10.1.0.1:588 0:0 Config: host1 10.10.10.1 external interface, 10.6.0.1 internal interface host2 10.10.10.2 host1 (freebsd router) ifconfig gre0 tunnel: inet 10.10.10.1 -> 10.10.10.2 inet 10.1.0.1 --> 10.1.0.2 netmask 0xfffffffc host2 (freebsd client) ifconfig gre0 tunnel: inet 10.10.10.2 -> 10.10.10.1 inet 10.1.0.2 --> 10.1.0.1 netmask 0xfffffffc host2: route add -net 10.6.0.0/23 10.1.0.1 Originally came across this in downstream pfSense based on 11.1-RELEASE-p6,= but I've reproduced this 12-CURRENT snapshot r330034. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-226411-8>