From owner-freebsd-bugs@FreeBSD.ORG  Sat Aug  5 09:10:14 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8C85916A4E0
	for <freebsd-bugs@hub.freebsd.org>;
	Sat,  5 Aug 2006 09:10:14 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3C6E143D53
	for <freebsd-bugs@hub.freebsd.org>;
	Sat,  5 Aug 2006 09:10:13 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k759ADEw024889
	for <freebsd-bugs@freefall.freebsd.org>; Sat, 5 Aug 2006 09:10:13 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k759ADKn024885;
	Sat, 5 Aug 2006 09:10:13 GMT (envelope-from gnats)
Resent-Date: Sat, 5 Aug 2006 09:10:13 GMT
Resent-Message-Id: <200608050910.k759ADKn024885@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Alexander Shkurko <read@midland.com.ua>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AD94216A4DA
	for <freebsd-gnats-submit@FreeBSD.org>;
	Sat,  5 Aug 2006 09:02:42 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4078143D45
	for <freebsd-gnats-submit@FreeBSD.org>;
	Sat,  5 Aug 2006 09:02:42 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k7592fUR003991
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 5 Aug 2006 09:02:41 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k7592fQh003990;
	Sat, 5 Aug 2006 09:02:41 GMT (envelope-from nobody)
Message-Id: <200608050902.k7592fQh003990@www.freebsd.org>
Date: Sat, 5 Aug 2006 09:02:41 GMT
From: Alexander Shkurko <read@midland.com.ua>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.3
Cc: 
Subject: kern/101400: some packets do not pass through IPSEC tunnel
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Aug 2006 09:10:14 -0000


>Number:         101400
>Category:       kern
>Synopsis:       some packets do not pass through IPSEC tunnel
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 05 09:10:12 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Alexander Shkurko
>Release:        FreeBSD 6.1
>Organization:
>Environment:
FreeBSD mail.xxxxx.com.ua 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Wed May 31 15:49:03 UTC 2006     xxxxxxxxx@mail.xxxxx.com.ua:/usr/src/sys/i386/compile/xxxx  i386
>Description:
Problem appear when FreeBSd 5.2.1 was changed to FreeBSD 6.1 (not upgrade, change)
Use IPSEC in tunnel mode.
When ESP packet is fragmented and second part of packet is 24 bytes, packet dropped at remote side of tunnel.If size of second part of fragmented ESP packet is more or less size, packet pass. I test this in defferent servers in different countries with different pairs of servers.  i found that affected with problem: 
FreeBSD 6.1 with FreeBSD 6.1
FreeBSD 6.1 with FreeBSD 5.2.1

but
FreeBSD 5.2.1 with FreeBSD 5.2.1 not affected 

(in al examples configuration of IPSEC tunnel identical. I mean racoon.conf and IPSEC policy in kernel)
If you need some configuration files, i'm ready t&#1086; send it 

And finally i show dump.
when  i do 
ping -s 1424 -S 192.168.xx2.250 192.168.xx1.250
i have 
11:53:49.656190 IP (tos 0x0, ttl  57, id 3208, offset 0, flags [+], proto: ESP (50), length: 1500) mail.xxx1.com.ua > mail.xxx2.com.ua: ESP(spi=0x08933a69,seq=0x57c8), length 1480
11:53:49.658065 IP (tos 0x0, ttl  57, id 3208, offset 1480, flags [none], proto: ESP (50), length: 24) mail.xxx1.com.ua > mail.xxx2.com.ua: esp

Remote side receive ESP packets, but failed to get from it encrypted ICMP packet without any warning, simply dropped it.
>How-To-Repeat:
Run at one side of tunnel:
ping -s 1424 internal_ip_in_other_side_of_tunnel

In my case size of ICMP packet must to be from 1419 to 1426, if less or more - packet pass.
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: