Date: Mon, 22 May 2000 23:55:59 +0100 From: Brian Somers <brian@Awfulhak.org> To: renaud@evolunet.com (Renaud Waldura) Cc: freebsd-net@FreeBSD.ORG, brian@hak.lan.Awfulhak.org Subject: Re: PPP dropping IPSec packets? Message-ID: <200005222256.XAA15436@hak.lan.Awfulhak.org> In-Reply-To: Message from Renaud Waldura <renaud@guppy.evolunet.com> of "Tue, 23 May 0100 00:15:29 %2B0200." <200005222215.AAA26890@guppy.evolunet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hmm, you mustn't have received my last email: brian@Awfulhak.org said: : Hi, : : I'm not sure if I know the answer to this, but I may have bumped into : similar problems in the past. I don't use ipsec myself, but I've set : up tunnels with a PPPoUDPoPPPoSerial setup. : : Maybe your problems lie in your routing tables, where one side is : routing the reply packets through tun0 rather than tun1 because of a : bogus route ? You probably want to make sure that your ethernet : segment has a very minimal netmask - or even a ffffffff netmask with : a -interface route to the provider IP ? : : This sort of thing is particularly difficult to get working if you : don't have access to both sides of the link, but if you do, I'd try : getting tcpdump running on each end and trying to trace ``ping -c1''s : and see where they're disappearing. > Keywords: PPP PPPoE IPSec pipsecd tunnel > > > I'm having a problem with PPP (userland PPP) apparently dropping > IPSec packets. > > I'm using PPP for PPPoE (DSL connection) with a tunnel interface > tun0. That tun0 is bound to my ethernet interface eth0, and > sends packets back and forth to the telco router. > > ---> tun0 ---> eth0 ---> telco ---> IP > <--- tun0 <--- eth0 <--- telco <--- IP > > All is neat, it's working great. For info: > > $ ifconfig tun0 > tun0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> mtu 1492 > inet 63.203.70.250 --> 63.203.71.254 netmask 0xff000000 > Opened by PID 70 > > Now I want to setup an encrypted tunnel using pipsecd between > my machine and a remote site. Pipsecd creates an interface tun1 > that is ifconfig'ed with the right parameters, shared by the two > sites. > > $ ifconfig tun1 > tun1: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> mtu 1440 > inet 192.168.255.14 --> 192.168.255.13 netmask 0xfffffffc > Opened by PID 164 > > I try to ping the remote end of the encrypted link, but the packets > never make it back to me. They do flow from tun1 to tun0 to eth0 > to the telco router to ... to the remote site, _which_replies_ > to my ICMP echo, but for some reason PPP drops the IPSec packets, > they never come back up to neither tun0 (tunnel interface opened > by ppp), nor to tun1 (tunnel opened by pipsecd). > > But they *do* make it back to the Ethernet interface, they're > just not transmitted back to the tunnel tun0. > > Included below two tcpdumps that clearly show the problem. My local > machine is 63.203.70.250, the remote site at the end of the > encrypted link 24.201.61.127. > > I ping the remote end of the encrypted link: > $ ping 192.168.255.13 > > and I see: > > # tcpdump -i eth0 -n > 13:29:26.793274 PPPoE [ses 0x2f6] 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x80) > 13:29:26.933926 PPPoE [ses 0x2f6] 24.201.61.127 > 63.203.70.250: ESP(spi=1001,seq=0x9c9) > 13:29:27.802402 PPPoE [ses 0x2f6] 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x81) > 13:29:27.923656 PPPoE [ses 0x2f6] 24.201.61.127 > 63.203.70.250: ESP(spi=1001,seq=0x9ca) > ^C > 4 packets received by filter > 0 packets dropped by kernel > > # tcpdump -i tun0 -n > 13:29:26.792053 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x80) > 13:29:27.801794 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x81) > ^C > 2 packets received by filter > 0 packets dropped by kernel > > I _did_ run the same tcpdumps at the remote site, they show the packets > coming in and out. To me it looks like packets are lost at my local > machine, by either the PPP code, the PPPoE code, or something else. > > To summarize, this is what happens: > > ---> tun1 ---> tun0 ---> rl0 ---> telco ----> remote site > > but: > > remote site ---> telco ---> rl0 -/***/-> tun0 ---> tun1 ---> > > > I'm not familiar with the new Netgraph stuff, could it be involved > in what's happenning? (ppp relies on ng_pppoe for doing PPPoE). > > Thanks a lot for any ideas on how to solve this problem, > > -- > -- Renaud Waldura (temporarily renaud@evolunet.com) > -- The Netsurfers' Organization > -- 610 Clipper St. #19, San Francisco CA 94114, USA > -- +1 415 642-5364 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005222256.XAA15436>