From nobody@FreeBSD.org  Tue Mar 25 05:20:00 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CAD4D106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 25 Mar 2008 05:20:00 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id A3CDA8FC19
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 25 Mar 2008 05:20:00 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m2P5JngC008258
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 25 Mar 2008 05:19:49 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m2P5JnEQ008257;
	Tue, 25 Mar 2008 05:19:49 GMT
	(envelope-from nobody)
Message-Id: <200803250519.m2P5JnEQ008257@www.freebsd.org>
Date: Tue, 25 Mar 2008 05:19:49 GMT
From: alexander efimov <alephis@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: gre over ipsec not
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         122065
>Category:       kern
>Synopsis:       [ipsec] [gre] gre over ipsec not working
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    gnn
>State:          feedback
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 25 05:30:00 UTC 2008
>Closed-Date:    
>Last-Modified:  Sun May 18 05:03:13 UTC 2014
>Originator:     alexander efimov
>Release:        7.0-STABLE
>Organization:
personal
>Environment:
FreeBSD ipsrv 7.0-STABLE FreeBSD 7.0-STABLE #1: Thu Mar 20 16:25:27 NOVT 2008     root@ipsrv:/usr/obj/usr/src/sys/IPSRV  i386
>Description:
can't establish pptp connection from windows client to freebsd mpd5/poptop
when ipsec transport enabled. looks like some blocking of gre traffic occur.

check same thing with windows 2003/linux (ipsec-tools/poptop) server - i
can establish connection.

on freebsd mpd get mesages from client but looks like client didn't get
responses from server.

mpd: [L-2] LCP: SendConfigReq #10
>How-To-Repeat:
spdflush;
spdadd 192.168.250.0/24 192.168.250.0/24 any -P out ipsec esp/transport//require;
spdadd 192.168.250.0/24 192.168.250.0/24 any -P in ipsec esp/transport//require;

mpd51 default sample config with load pptp_server and corresponding changes in network address


>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: remko 
Responsible-Changed-When: Tue Mar 25 19:44:03 UTC 2008 
Responsible-Changed-Why:  
Over to networking team 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122065 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, alephis@gmail.com
Cc:  
Subject: Re: kern/122065: [gre] gre over ipsec not working
Date: Tue, 25 Mar 2008 20:45:18 +0000 (UTC)

 Hi,
 
 the report is not too specific. Could you provide more details like
 - policies on Windows
 - confirm with tcpdump that no packets are going out on the real
    interface?
 - can you still see the packets on enc0?
 - any possible firewall setups?
 - ...
 
 In case you do not want to share all that in public you can mail me
 directly thought with "private IPs" this shouldn't be a problem.
 
 -- 
 Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
 Software is harder than hardware  so better get it right the first time.

From: "Alexander Efimov" <alephis@gmail.com>
To: bug-followup@FreeBSD.org, alephis@gmail.com
Cc:  
Subject: Re: kern/122065: [gre] gre over ipsec not working
Date: Thu, 27 Mar 2008 12:17:43 +0600

 ------=_Part_19935_27991802.1206598664906
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 - policies on Windows
 
 the same to require ipsec on 192.168.250.0/24 both directions
 connection type: all network connectins
 with  "accept usecured communication, but always respond using ipsec" turned
 off
 certificate type of authentication
 
 - confirm with tcpdump that no packets are going out on the real
 interface?
 
 I've got only esp packets, currently can't make tcpdump work with -E
 
 - can you still see the packets on enc0?
 not sure I understand what you mean.
 
 - any possible firewall setups?
 no server and host currently resides in same lan
 
 ------=_Part_19935_27991802.1206598664906
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 - policies on Windows<br><br>the same to require&nbsp;ipsec&nbsp;on&nbsp;<a href="http://192.168.250.0/24">192.168.250.0/24</a>&nbsp;both&nbsp;directions<br>connection type: all&nbsp;network&nbsp;connectins <br>with &nbsp;&quot;accept usecured communication, but always respond using ipsec&quot; turned off <br>
 certificate&nbsp;type&nbsp;of&nbsp;authentication&nbsp;<br><br>- confirm with tcpdump that no packets are going out on the real<br>interface?<br><br>I&#39;ve got only esp packets,&nbsp;currently&nbsp;can&#39;t&nbsp;make&nbsp;tcpdump&nbsp;work&nbsp;with&nbsp;-E&nbsp; <br><br>- can you still see the packets on enc0?<br>
 not sure I understand what you mean.<br><br>- any possible firewall setups?<br>no server and host currently resides&nbsp;in&nbsp;same&nbsp;lan&nbsp; <br>
 
 ------=_Part_19935_27991802.1206598664906--
State-Changed-From-To: open->feedback 
State-Changed-By: bz 
State-Changed-When: Sun Mar 30 09:46:04 UTC 2008 
State-Changed-Why:  
I am exchanging mails with the submitter to narrow down the problem. 


Responsible-Changed-From-To: freebsd-net->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sun Mar 30 09:46:04 UTC 2008 
Responsible-Changed-Why:  
I am exchanging mails with the submitter to narrow down the problem. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122065 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: Alexander Efimov <alephis@gmail.com>
Cc: Alexander Motin <mav@FreeBSD.org>, bug-followup@FreeBSD.org
Subject: Re: kern/122065: [gre] gre over ipsec not working
Date: Mon, 31 Mar 2008 13:23:55 +0000 (UTC)

 On Mon, 31 Mar 2008, Alexander Efimov wrote:
 
 Hi,
 
 > here goes mpd log, ...
 >
 > also I've prevoiously contacted with Alexander
 > Motin
 
 I Cc:ed him again as well as Gnats as from here on no more private
 data should be involved and we should document the findings.
 
 > his opinion was no packet came from client
 
 Well, yes, that is what your mpd log shows.
 
 Your tcpdump showed that you are receiving a Config-Reject from the
 Windows. As you can see it in enc(4) it should have passed IPsec
 already.
 
 So the question is "where is it lost"?
 
 Oh wait... hmmm.
 
 ng_pptpgre does not participate in the encap_attach dance - how would
 it? I wonder how the packets go into the ksocket and to ng_pptpgre and
 where they are going through ip_input or the like?
 
 I'll be away for two days but can check this (or review patches in
 case Mav comes up with something) once I am back.
 
 /bz
 
 -- 
 Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
 Software is harder than hardware  so better get it right the first time.

From: Sergey Svishchev <svs@ropnet.ru>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/122065
Date: Wed, 29 Apr 2009 10:21:41 +0400

 Could be a dup of kern/65616 ("IPSEC can't detunnel GRE packets after real ESP 
 encryption".)
 
 -- 
 Sergey Svishchev
Responsible-Changed-From-To: bz->gnn 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sun May 18 05:02:51 UTC 2014 
Responsible-Changed-Why:  
I shall not use bugzilla (at least until we will have a CLI). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122065 
>Unformatted:
