Date: Tue, 23 May 100 00:15:29 +0200 (CEST) From: Renaud Waldura <renaud@guppy.evolunet.com> To: freebsd-net@freebsd.org Subject: PPP dropping IPSec packets? Message-ID: <200005222215.AAA26890@guppy.evolunet.com>
next in thread | raw e-mail | index | archive | help
Keywords: PPP PPPoE IPSec pipsecd tunnel
I'm having a problem with PPP (userland PPP) apparently dropping
IPSec packets.
I'm using PPP for PPPoE (DSL connection) with a tunnel interface
tun0. That tun0 is bound to my ethernet interface eth0, and
sends packets back and forth to the telco router.
---> tun0 ---> eth0 ---> telco ---> IP
<--- tun0 <--- eth0 <--- telco <--- IP
All is neat, it's working great. For info:
$ ifconfig tun0
tun0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> mtu 1492
inet 63.203.70.250 --> 63.203.71.254 netmask 0xff000000
Opened by PID 70
Now I want to setup an encrypted tunnel using pipsecd between
my machine and a remote site. Pipsecd creates an interface tun1
that is ifconfig'ed with the right parameters, shared by the two
sites.
$ ifconfig tun1
tun1: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> mtu 1440
inet 192.168.255.14 --> 192.168.255.13 netmask 0xfffffffc
Opened by PID 164
I try to ping the remote end of the encrypted link, but the packets
never make it back to me. They do flow from tun1 to tun0 to eth0
to the telco router to ... to the remote site, _which_replies_
to my ICMP echo, but for some reason PPP drops the IPSec packets,
they never come back up to neither tun0 (tunnel interface opened
by ppp), nor to tun1 (tunnel opened by pipsecd).
But they *do* make it back to the Ethernet interface, they're
just not transmitted back to the tunnel tun0.
Included below two tcpdumps that clearly show the problem. My local
machine is 63.203.70.250, the remote site at the end of the
encrypted link 24.201.61.127.
I ping the remote end of the encrypted link:
$ ping 192.168.255.13
and I see:
# tcpdump -i eth0 -n
13:29:26.793274 PPPoE [ses 0x2f6] 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x80)
13:29:26.933926 PPPoE [ses 0x2f6] 24.201.61.127 > 63.203.70.250: ESP(spi=1001,seq=0x9c9)
13:29:27.802402 PPPoE [ses 0x2f6] 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x81)
13:29:27.923656 PPPoE [ses 0x2f6] 24.201.61.127 > 63.203.70.250: ESP(spi=1001,seq=0x9ca)
^C
4 packets received by filter
0 packets dropped by kernel
# tcpdump -i tun0 -n
13:29:26.792053 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x80)
13:29:27.801794 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x81)
^C
2 packets received by filter
0 packets dropped by kernel
I _did_ run the same tcpdumps at the remote site, they show the packets
coming in and out. To me it looks like packets are lost at my local
machine, by either the PPP code, the PPPoE code, or something else.
To summarize, this is what happens:
---> tun1 ---> tun0 ---> rl0 ---> telco ----> remote site
but:
remote site ---> telco ---> rl0 -/***/-> tun0 ---> tun1 --->
I'm not familiar with the new Netgraph stuff, could it be involved
in what's happenning? (ppp relies on ng_pppoe for doing PPPoE).
Thanks a lot for any ideas on how to solve this problem,
--
-- Renaud Waldura (temporarily renaud@evolunet.com)
-- The Netsurfers' Organization
-- 610 Clipper St. #19, San Francisco CA 94114, USA
-- +1 415 642-5364
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005222215.AAA26890>