From nobody@FreeBSD.org  Sat Feb  6 00:25:15 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B0F9A1065670
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  6 Feb 2010 00:25:15 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 86DA18FC1C
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  6 Feb 2010 00:25:15 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o160PEnc003825
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 6 Feb 2010 00:25:14 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o160PEda003824;
	Sat, 6 Feb 2010 00:25:14 GMT
	(envelope-from nobody)
Message-Id: <201002060025.o160PEda003824@www.freebsd.org>
Date: Sat, 6 Feb 2010 00:25:14 GMT
From: Vadim Fedorenko <junk@fromru.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: When using IPSec, tcpdump doesn't show outgoing packets on gif interface
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         143593
>Category:       kern
>Synopsis:       [ipsec] When using IPSec, tcpdump doesn't show outgoing packets on gif interface
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ae
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Feb 06 00:30:06 UTC 2010
>Closed-Date:    
>Last-Modified:  Fri Apr 04 09:50:01 UTC 2014
>Originator:     Vadim Fedorenko
>Release:        7.2-STABLE
>Organization:
>Environment:
FreeBSD hostname 7.2-STABLE FreeBSD 7.2-STABLE #1: Sat Jan 16 14:11:41 MSK 2010     junk@hostname:/usr/obj/usr/src/sys/PFKERNEL  i386
>Description:
I'm using ipsec tunnels between 2 hosts. 
The first one (Host1) is running 7.2-STABLE and the second one (Host2) 6.2-RELEASE.
The network topology:
Host1: public A.A.A.A private 192.168.1.114 net 192.168.1.0/24
Host2: public B.B.B.B private 192.168.4.254 net 192.168.4.0/24

The tunnel configuration for Host1:
gif0 tunnel A.A.A.A B.B.B.B 
     inet 192.168.1.114 192.168.4.254 netmask 255.255.255.255
ipsec.conf:
spdadd 192.168.1.0/24 192.168.4.0/24 any -P out ipsec esp/tunnel/A.A.A.A-B.B.B.B/require;
spdadd 192.168.4.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/B.B.B.B-A.A.A.A/require;

The tunnel configuration for Host2:
gif0 tunnel B.B.B.B A.A.A.A
     inet 192.168.4.254 192.168.1.114 netmask 255.255.255.255
ipsec.conf:
spdadd 192.168.4.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/B.B.B.B-A.A.A.A/require;
spdadd 192.168.1.0/24 192.168.4.0/24 any -P in ipsec esp/tunnel/A.A.A.A-B.B.B.B/require;

Pinging 192.168.1.114 from 192.168.4.254 successful:
[root@Host2 /etc]# ping 192.168.1.114
PING 192.168.1.114 (192.168.1.114): 56 data bytes
64 bytes from 192.168.1.114: icmp_seq=0 ttl=64 time=19.257 ms
64 bytes from 192.168.1.114: icmp_seq=1 ttl=64 time=19.443 ms
64 bytes from 192.168.1.114: icmp_seq=2 ttl=64 time=19.709 ms

but tcpdump on host1 doesn't show outgoing packets on gif0:
[root@Host1 /etc]#  tcpdump -ni gif0
                                                                           tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
03:16:49.915662 IP 192.168.4.254 > 192.168.1.114: ICMP echo request, id 61598, seq 0, length 64
03:16:50.916994 IP 192.168.4.254 > 192.168.1.114: ICMP echo request, id 61598, seq 1, length 64
03:16:51.918189 IP 192.168.4.254 > 192.168.1.114: ICMP echo request, id 61598, seq 2, length 64


03:16:52.922871 IP 192.168.4.254 > 192.168.1.114: ICMP echo request, id 61598, seq 3, length 64


>How-To-Repeat:
See above
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Feb 6 00:32:19 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=143593 

From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: Vadim Fedorenko <junk@fromru.com>
Cc: bug-followup@freebsd.org
Subject: Re: kern/143593: [ipsec] When using IPSec, tcpdump doesn't show outgoing
 packets on gif interface
Date: Sat, 06 Feb 2010 13:21:37 +0700

 Hi!
 
 This is not a bug but some misunderstanding how IPSEC tunnel mode works.
 You need not use gif tunnel and IPSEC tunnel at once.
 You should use IPSEC transport mode with gif or IPSEC tunnel mode
 without gif.
 
 In fact, for IPSEC tunnel mode your kernel encrypts and encapsulates
 outgoing packets
 before it chooses outgoing interface. And IPSEC-encapsulated packet already
 has B.B.B.B as destination IP so it is not routed to your gif-tunnel.
 Instead, it is routed to your real network interface, therefore tcpdump
 -i gif0 does not show it.
 
 Just  change your IPSEC configuration to transport mode
 keeping your gif configuration unchanged.
 Then outgoing packets will be routed to gif0 by means of routing table
 (and not by IPSEC tunnel mode config) and tcpdump will show them.
 Gif tunnel will encapsulate them and only then they will be encrypted
 with IPSEC and sent.
 
 I suggest this PR be closed. Please ask this type of questions in the
 lists first.

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: Eugene Grosbein <eugen@grosbein.pp.ru>
Cc: freebsd-net@FreeBSD.org, bug-followup@FreeBSD.org, junk@fromru.com
Subject: Re: kern/143593: [ipsec] When using IPSec, tcpdump doesn't show
 outgoing packets on gif interface
Date: Sat, 6 Feb 2010 22:02:01 +0000 (UTC)

 On Sat, 6 Feb 2010, Eugene Grosbein wrote:
 
 Hi Eugene,
 
 > The following reply was made to PR kern/143593; it has been noted by GNATS.
 >
 > From: Eugene Grosbein <eugen@grosbein.pp.ru>
 > To: Vadim Fedorenko <junk@fromru.com>
 > Cc: bug-followup@freebsd.org
 > Subject: Re: kern/143593: [ipsec] When using IPSec, tcpdump doesn't show outgoing
 > packets on gif interface
 > Date: Sat, 06 Feb 2010 13:21:37 +0700
 >
 > Hi!
 >
 > This is not a bug but some misunderstanding how IPSEC tunnel mode works.
 > You need not use gif tunnel and IPSEC tunnel at once.
 
 But still you could for various reasons.
 
 > You should use IPSEC transport mode with gif or IPSEC tunnel mode
 > without gif.
 >
 > In fact, for IPSEC tunnel mode your kernel encrypts and encapsulates
 > outgoing packets
 > before it chooses outgoing interface. And IPSEC-encapsulated packet already
 > has B.B.B.B as destination IP so it is not routed to your gif-tunnel.
 > Instead, it is routed to your real network interface, therefore tcpdump
 > -i gif0 does not show it.
 >
 > Just  change your IPSEC configuration to transport mode
 > keeping your gif configuration unchanged.
 > Then outgoing packets will be routed to gif0 by means of routing table
 > (and not by IPSEC tunnel mode config) and tcpdump will show them.
 > Gif tunnel will encapsulate them and only then they will be encrypted
 > with IPSEC and sent.
 >
 > I suggest this PR be closed. Please ask this type of questions in the
 > lists first.
 
 
 While what you say ist best practise and will mitigate the problem, there is
 a known problem here nonetheless.
 
 I think kern/121642 was one of the original submissions and this
 should be marked as a duplicate and possibly migrated there.  There
 are more slightly similar problems reported (kern/110959, ...)
 
 I think similar strange results might be seen if stacking gif and gre
 w/o IPsec (or maybe it was gif in gif).
 
 -- 
 Bjoern A. Zeeb         It will not break if you know what you are doing.
Responsible-Changed-From-To: freebsd-net->ae 
Responsible-Changed-By: ae 
Responsible-Changed-When: Fri Apr 4 09:49:47 UTC 2014 
Responsible-Changed-Why:  
Take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=143593 
>Unformatted:
