From owner-freebsd-bugs@FreeBSD.ORG Fri Apr 16 04:50:24 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EF1616A4D6 for ; Fri, 16 Apr 2004 04:50:24 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4142943D31 for ; Fri, 16 Apr 2004 04:50:24 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i3GBoObv061703 for ; Fri, 16 Apr 2004 04:50:24 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i3GBoOPu061702; Fri, 16 Apr 2004 04:50:24 -0700 (PDT) (envelope-from gnats) Resent-Date: Fri, 16 Apr 2004 04:50:24 -0700 (PDT) Resent-Message-Id: <200404161150.i3GBoOPu061702@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Valentin Nechayev Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51E2416A4CE for ; Fri, 16 Apr 2004 04:42:45 -0700 (PDT) Received: from quarta.carrier.kiev.ua (quarta.carrier.kiev.ua [193.193.193.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4E9143D39 for ; Fri, 16 Apr 2004 04:42:41 -0700 (PDT) (envelope-from netch@quarta.carrier.kiev.ua) Received: from quarta.carrier.kiev.ua (localhost [127.0.0.1]) i3GBgbZq090440; Fri, 16 Apr 2004 14:42:37 +0300 (EEST) (envelope-from netch@quarta.carrier.kiev.ua) Received: (from root@localhost) by quarta.carrier.kiev.ua (8.12.9p2/8.12.9/Submit) id i3GBgbkN090439; Fri, 16 Apr 2004 14:42:37 +0300 (EEST) (envelope-from netch) Message-Id: <200404161142.i3GBgbkN090439@quarta.carrier.kiev.ua> Date: Fri, 16 Apr 2004 14:42:37 +0300 (EEST) From: Valentin Nechayev To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/65616: IPSEC can't detunnel GRE packets after real ESP encryption X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Valentin Nechayev List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2004 11:50:24 -0000 >Number: 65616 >Category: kern >Synopsis: IPSEC can't detunnel GRE packets after real ESP encryption >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Apr 16 04:50:23 PDT 2004 >Closed-Date: >Last-Modified: >Originator: Valentin Nechayev >Release: FreeBSD 4.9-RELEASE-p1 i386 >Organization: private >Environment: FreeBSD 4.9-RELEASE-p1 FreeBSD 4.10-BETA FreeBSD 5.2.1-RELEASE >Description: Build simple GRE tunnel between two hosts and apply transport IPSEC ESP between external endpoints of tunnel. With null ESP encryption, packets are "decrypted" and appear on input of GRE interface. With real encryption, packets are lost. The situation is identical for three tested versions (4.9, 4.10, 5.2.1). I say that problem is on decryption, not encryption, because some of tests included Cisco router (75xx with RSP4, IOS 12.2(18)S4): tunnel organized between FreeBSD and Cisco passed successfully packets from FreeBSD to host after Cisco, but not towards. >How-To-Repeat: The following script was used to organize tunnel and ESP. External addresses are 193.193.193.11 and 193.193.193.134 (real example). === cut === #!/bin/sh set -e IFTYPE=${1:-gif} IFACE=${IFTYPE}0 ifconfig ${IFACE} destroy 2>/dev/null || true ifconfig ${IFACE} create ifconfig ${IFACE} inet 10.0.1.1 10.0.1.2 ifconfig ${IFACE} tunnel 193.193.193.11 193.193.193.134 setkey -c <Fix: >Release-Note: >Audit-Trail: >Unformatted: