Date: Fri, 16 Apr 2004 14:42:37 +0300 (EEST) From: Valentin Nechayev <netch@netch.kiev.ua> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/65616: IPSEC can't detunnel GRE packets after real ESP encryption Message-ID: <200404161142.i3GBgbkN090439@quarta.carrier.kiev.ua> Resent-Message-ID: <200404161150.i3GBoOPu061702@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 65616
>Category: kern
>Synopsis: IPSEC can't detunnel GRE packets after real ESP encryption
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Apr 16 04:50:23 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator: Valentin Nechayev
>Release: FreeBSD 4.9-RELEASE-p1 i386
>Organization:
private
>Environment:
FreeBSD 4.9-RELEASE-p1
FreeBSD 4.10-BETA
FreeBSD 5.2.1-RELEASE
>Description:
Build simple GRE tunnel between two hosts and apply transport IPSEC ESP
between external endpoints of tunnel.
With null ESP encryption, packets are "decrypted" and appear on input of
GRE interface. With real encryption, packets are lost.
The situation is identical for three tested versions (4.9, 4.10, 5.2.1).
I say that problem is on decryption, not encryption, because some of tests
included Cisco router (75xx with RSP4, IOS 12.2(18)S4): tunnel organized
between FreeBSD and Cisco passed successfully packets from FreeBSD to host
after Cisco, but not towards.
>How-To-Repeat:
The following script was used to organize tunnel and ESP.
External addresses are 193.193.193.11 and 193.193.193.134 (real example).
=== cut ===
#!/bin/sh
set -e
IFTYPE=${1:-gif}
IFACE=${IFTYPE}0
ifconfig ${IFACE} destroy 2>/dev/null || true
ifconfig ${IFACE} create
ifconfig ${IFACE} inet 10.0.1.1 10.0.1.2
ifconfig ${IFACE} tunnel 193.193.193.11 193.193.193.134
setkey -c <<EOF
flush;
add 193.193.193.11 193.193.193.134 esp 1100 -E simple "";
add 193.193.193.134 193.193.193.11 esp 1101 -E simple "";
#add 193.193.193.11 193.193.193.134 esp 1100 -E des-cbc "NuNiFiga";
#add 193.193.193.134 193.193.193.11 esp 1101 -E des-cbc "NuNiFiga";
spdflush;
spdadd 193.193.193.11 193.193.193.134 any -P out ipsec esp/transport//use;
spdadd 193.193.193.134 193.193.193.11 any -P in ipsec esp/transport//use;
EOF
exit 0
=== end cut ===
Run it as "./makeit" without arguments to organize IPIP tunnel (using gif)
which works, and as "./makeit gre" to organize GRE tunnel which doesn't.
For another host, the same script with reverted tunnel endpoints and
SPD addresses must be used.
This can be tied with particularity of tunnel mode (packets after tunnel ESP
has the same view as packets after IPIP tunneling and transport ESP),
but IPIP tunnel has no such problems even with possible mess of these
two tunneling modes.
The question was asked some time ago in net@freebsd.org and silence was reply.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404161142.i3GBgbkN090439>