Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 5 Aug 2006 09:02:41 GMT
From:      Alexander Shkurko <read@midland.com.ua>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/101400: some packets do not pass through IPSEC tunnel
Message-ID:  <200608050902.k7592fQh003990@www.freebsd.org>
Resent-Message-ID: <200608050910.k759ADKn024885@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         101400
>Category:       kern
>Synopsis:       some packets do not pass through IPSEC tunnel
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 05 09:10:12 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Alexander Shkurko
>Release:        FreeBSD 6.1
>Organization:
>Environment:
FreeBSD mail.xxxxx.com.ua 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Wed May 31 15:49:03 UTC 2006     xxxxxxxxx@mail.xxxxx.com.ua:/usr/src/sys/i386/compile/xxxx  i386
>Description:
Problem appear when FreeBSd 5.2.1 was changed to FreeBSD 6.1 (not upgrade, change)
Use IPSEC in tunnel mode.
When ESP packet is fragmented and second part of packet is 24 bytes, packet dropped at remote side of tunnel.If size of second part of fragmented ESP packet is more or less size, packet pass. I test this in defferent servers in different countries with different pairs of servers.  i found that affected with problem: 
FreeBSD 6.1 with FreeBSD 6.1
FreeBSD 6.1 with FreeBSD 5.2.1

but
FreeBSD 5.2.1 with FreeBSD 5.2.1 not affected 

(in al examples configuration of IPSEC tunnel identical. I mean racoon.conf and IPSEC policy in kernel)
If you need some configuration files, i'm ready t&#1086; send it 

And finally i show dump.
when  i do 
ping -s 1424 -S 192.168.xx2.250 192.168.xx1.250
i have 
11:53:49.656190 IP (tos 0x0, ttl  57, id 3208, offset 0, flags [+], proto: ESP (50), length: 1500) mail.xxx1.com.ua > mail.xxx2.com.ua: ESP(spi=0x08933a69,seq=0x57c8), length 1480
11:53:49.658065 IP (tos 0x0, ttl  57, id 3208, offset 1480, flags [none], proto: ESP (50), length: 24) mail.xxx1.com.ua > mail.xxx2.com.ua: esp

Remote side receive ESP packets, but failed to get from it encrypted ICMP packet without any warning, simply dropped it.
>How-To-Repeat:
Run at one side of tunnel:
ping -s 1424 internal_ip_in_other_side_of_tunnel

In my case size of ICMP packet must to be from 1419 to 1426, if less or more - packet pass.
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608050902.k7592fQh003990>