From alex323@gmail.com  Tue Jun 15 23:10:05 2010
Return-Path: <alex323@gmail.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9232E1065670
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 15 Jun 2010 23:10:05 +0000 (UTC)
	(envelope-from alex323@gmail.com)
Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 484A18FC14
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 15 Jun 2010 23:10:04 +0000 (UTC)
Received: by vws20 with SMTP id 20so7564543vws.13
        for <FreeBSD-gnats-submit@freebsd.org>; Tue, 15 Jun 2010 16:10:04 -0700 (PDT)
Received: by 10.220.126.129 with SMTP id c1mr4367890vcs.167.1276643404280;
        Tue, 15 Jun 2010 16:10:04 -0700 (PDT)
Received: from localhost (ool-44c14b8e.dyn.optonline.net [68.193.75.142])
        by mx.google.com with ESMTPS id b32sm3053781vcm.1.2010.06.15.16.10.02
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Tue, 15 Jun 2010 16:10:03 -0700 (PDT)
Message-Id: <20100615191001.7c2b8ebf@gmail.com>
Date: Tue, 15 Jun 2010 19:10:01 -0400
From: Alex <alex323@gmail.com>
To: FreeBSD-gnats-submit@freebsd.org
Subject: IPv6-in-IPv4 does not work inside an ESP-only IPsec tunnel

>Number:         147894
>Category:       kern
>Synopsis:       [ipsec] IPv6-in-IPv4 does not work inside an ESP-only IPsec tunnel
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    ae
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 15 23:20:00 UTC 2010
>Closed-Date:    
>Last-Modified:  Fri Apr 04 09:41:30 UTC 2014
>Originator:     Alex
>Release:        FreeBSD 8.1-PRERELEASE amd64
>Organization:
>Environment:
System: FreeBSD orion 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #4: Sun Jun
13 20:18:56 EDT 2010 alex@orion:/usr/obj/usr/src/sys/ORION amd64

>Description:
I have my gif interface set-up as follows:

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
	tunnel inet a.a.a.a --> b.b.b.b
	inet6 ::c prefixlen 64

...and the opposite on the other end. The IPsec mode is tunnel, and
one computer is behind NAT (the packets are all forwarded properly).
Moreover, AH is not enabled... just ESP. The configuration I have just
described works correctly when the internal addresses are IPv4. However
when they are IPv6, the actual packets I try to send do not get sent.
More specifically, no outgoing ESP packets appear in wireshark at all.

Again to reiterate: This exact same setup works when the internal tunnel
addresses are IPv4. I do not feel that the problem is racoon2, because
the keys are successfully negotiated, as shown below:

local-ipv4-address remote-ipv4-address
	esp mode=tunnel spi=256424725(0x0f48bb15) reqid=0(0x00000000)
	E: rijndael-cbc  43932af0 a2ebdf0e 9ed8eb89 3b4f9725 3f1874d3
	87a7afad cbcc7e3f dc028a40

	A: hmac-sha2-512  38645b32 3deafb39 45b01b66 58015299 a730a96a
	f5fac1c2 ae87348d 2fe3c181 b22a4b80 a6ccdbc0 b3ae5125 cb5e4849
	19e51766 21d0c773 343c6a64 52058686 seq=0x00000000 replay=64
	flags=0x00000000 state=mature created: Jun 15 19:00:32 2010
	current: Jun 15 19:02:08 2010 diff: 96(s)	hard: 14400(s)
	soft: 12814(s) last:                     	hard: 0(s)
	soft: 0(s) current: 0(bytes)	hard: 0(bytes)	soft:
	0(bytes) allocated: 0	hard: 0	soft: 0 sadb_seq=1
	pid=34759 refcnt=2

remote-ipv4-address local-ipv4-address
	esp mode=tunnel spi=23667040(0x01692160) reqid=0(0x00000000)
	E: rijndael-cbc  902fb88f fd628086 a914db5e 594cad58 3bad517a
	9153b5ee 1e57c579 f8bff311

	A: hmac-sha2-512  587cb5ff 6caf0da4 bbb2ecad 056fb008 c362fc69
	70be67b2 29a484a9 4df8e5c9 7cb52ac6 c37fc674 8d896722 b1e7ee6b
	d6c0ef7b 2a815807 7bb394ae 1ba4b294 seq=0x00000000 replay=64
	flags=0x00000000 state=mature created: Jun 15 19:00:32 2010
	current: Jun 15 19:02:08 2010 diff: 96(s)	hard: 14400(s)
	soft: 11544(s) last:                     	hard: 0(s)
	soft: 0(s) current: 0(bytes)	hard: 0(bytes)	soft:
	0(bytes) allocated: 0	hard: 0	soft: 0 sadb_seq=0
	pid=34759 refcnt=1

IPSEC_NAT_T is enabled in both kernels.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:

From: Alex <alex323@gmail.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/147894: IPv6-in-IPv4 does not work inside an ESP-only
 IPsec tunnel
Date: Fri, 18 Jun 2010 20:34:33 -0400

 The following error is printed when net.inet6.ipsec6.debug is set to 1:
 
 Jun 18 20:19:23 orion kernel: ipsec6_output_tunnel: family mismatched between inner and outer, spi=156253021
 Jun 18 20:19:23 orion kernel: [ip6_output:549] (ipsec): error code 47
 
 The relevant lines of code are:
 
 --- ipsec_output.c begins here ---
 if (isr->sav->sah->saidx.src.sa.sa_family != AF_INET6) {
                         ipseclog((LOG_ERR, "%s: family mismatched between " "inner and outer, spi=%u\n", __func__,
                             ntohl(isr->sav->spi)));
                         V_ipsec6stat.ips_out_inval++;
                         error = EAFNOSUPPORT;
                         goto bad;
                 }
 --- ipsec_output.c ends here ---
 
 I will be looking further in to this.
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Jul 18 15:42:23 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=147894 
Responsible-Changed-From-To: freebsd-net->ae 
Responsible-Changed-By: ae 
Responsible-Changed-When: Fri Apr 4 09:41:15 UTC 2014 
Responsible-Changed-Why:  
Take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=147894 
>Unformatted:
