From netch@quarta.carrier.kiev.ua  Fri Apr 16 04:42:45 2004
Return-Path: <netch@quarta.carrier.kiev.ua>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 51E2416A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 16 Apr 2004 04:42:45 -0700 (PDT)
Received: from quarta.carrier.kiev.ua (quarta.carrier.kiev.ua [193.193.193.11])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B4E9143D39
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 16 Apr 2004 04:42:41 -0700 (PDT)
	(envelope-from netch@quarta.carrier.kiev.ua)
Received: from quarta.carrier.kiev.ua (localhost [127.0.0.1])
	by quarta.carrier.kiev.ua (8.12.9p2/8.12.9) with ESMTP id i3GBgbZq090440;
	Fri, 16 Apr 2004 14:42:37 +0300 (EEST)
	(envelope-from netch@quarta.carrier.kiev.ua)
Received: (from root@localhost)
	by quarta.carrier.kiev.ua (8.12.9p2/8.12.9/Submit) id i3GBgbkN090439;
	Fri, 16 Apr 2004 14:42:37 +0300 (EEST)
	(envelope-from netch)
Message-Id: <200404161142.i3GBgbkN090439@quarta.carrier.kiev.ua>
Date: Fri, 16 Apr 2004 14:42:37 +0300 (EEST)
From: Valentin Nechayev <netch@netch.kiev.ua>
Reply-To: Valentin Nechayev <netch@netch.kiev.ua>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: IPSEC can't detunnel GRE packets after real ESP encryption
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         65616
>Category:       kern
>Synopsis:       IPSEC can't detunnel GRE packets after real ESP encryption
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ae
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 16 04:50:23 PDT 2004
>Closed-Date:    
>Last-Modified:  Fri Apr 04 09:38:00 UTC 2014
>Originator:     Valentin Nechayev
>Release:        FreeBSD 4.9-RELEASE-p1 i386
>Organization:
private
>Environment:
FreeBSD 4.9-RELEASE-p1
FreeBSD 4.10-BETA
FreeBSD 5.2.1-RELEASE

>Description:

Build simple GRE tunnel between two hosts and apply transport IPSEC ESP
between external endpoints of tunnel.
With null ESP encryption, packets are "decrypted" and appear on input of
GRE interface. With real encryption, packets are lost.
The situation is identical for three tested versions (4.9, 4.10, 5.2.1).
I say that problem is on decryption, not encryption, because some of tests
included Cisco router (75xx with RSP4, IOS 12.2(18)S4): tunnel organized
between FreeBSD and Cisco passed successfully packets from FreeBSD to host
after Cisco, but not towards.

>How-To-Repeat:

The following script was used to organize tunnel and ESP.
External addresses are 193.193.193.11 and 193.193.193.134 (real example).

=== cut ===
#!/bin/sh
set -e
IFTYPE=${1:-gif}
IFACE=${IFTYPE}0

ifconfig ${IFACE} destroy 2>/dev/null || true
ifconfig ${IFACE} create
ifconfig ${IFACE} inet 10.0.1.1 10.0.1.2
ifconfig ${IFACE} tunnel 193.193.193.11 193.193.193.134
setkey -c <<EOF
flush;
add 193.193.193.11 193.193.193.134 esp 1100 -E simple "";
add 193.193.193.134 193.193.193.11 esp 1101 -E simple "";
#add 193.193.193.11 193.193.193.134 esp 1100 -E des-cbc "NuNiFiga";
#add 193.193.193.134 193.193.193.11 esp 1101 -E des-cbc "NuNiFiga";
spdflush;
spdadd 193.193.193.11 193.193.193.134 any -P out ipsec esp/transport//use;
spdadd 193.193.193.134 193.193.193.11 any -P in ipsec esp/transport//use;
EOF
exit 0
=== end cut ===

Run it as "./makeit" without arguments to organize IPIP tunnel (using gif)
which works, and as "./makeit gre" to organize GRE tunnel which doesn't.
For another host, the same script with reverted tunnel endpoints and
SPD addresses must be used.

This can be tied with particularity of tunnel mode (packets after tunnel ESP
has the same view as packets after IPIP tunneling and transport ESP),
but IPIP tunnel has no such problems even with possible mess of these
two tunneling modes.

The question was asked some time ago in net@freebsd.org and silence was reply.

>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bms 
Responsible-Changed-By: bms 
Responsible-Changed-When: Wed Jun 16 09:11:02 GMT 2004 
Responsible-Changed-Why:  
I'll try to look at this 

http://www.freebsd.org/cgi/query-pr.cgi?pr=65616 
Responsible-Changed-From-To: bms->freebsd-net 
Responsible-Changed-By: bms 
Responsible-Changed-When: Sat Sep 23 16:29:17 UTC 2006 
Responsible-Changed-Why:  
I must focus on more specific areas. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=65616 
Responsible-Changed-From-To: freebsd-net->gnn 
Responsible-Changed-By: bms 
Responsible-Changed-When: Sun Sep 24 08:57:20 UTC 2006 
Responsible-Changed-Why:  
by request 

http://www.freebsd.org/cgi/query-pr.cgi?pr=65616 

From: Sergey Svishchev <svs@ropnet.ru>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/65616
Date: Tue, 07 Aug 2007 17:39:51 +0400

 Still happens in 5.5.
 
 -- 
 Sergey Svishchev
Responsible-Changed-From-To: gnn->freebsd-net 
Responsible-Changed-By: gnn 
Responsible-Changed-When: Tue Jun 15 17:47:06 UTC 2010 
Responsible-Changed-Why:  
This is likely stale. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=65616 
Responsible-Changed-From-To: freebsd-net->ae 
Responsible-Changed-By: ae 
Responsible-Changed-When: Fri Apr 4 09:37:42 UTC 2014 
Responsible-Changed-Why:  
Take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=65616 
>Unformatted:
