Date: Tue, 26 Mar 2019 12:26:16 +0500 From: "Eugene M. Zheganin" <emz@norma.perm.ru> To: "freebsd-stable@freebsd.org Mailing FreeBSD-STABLE" <freebsd-stable@freebsd.org> Subject: ipsec/gif(4) tunnel not working: traffic not appearing on the gif(4) interface after deciphering Message-ID: <30327deb-2d28-90e2-6069-0706f4ea5eee@norma.perm.ru>
next in thread | raw e-mail | index | archive | help
Hello, I have a FreeBSD 11.1 box with 2 public IPs that has two tunnels to another FreeBSD box with 1 public IP. One of these tunnels is working, the other isn't. Long story short: I have some experience in ipsec tunnels setup. and I supposed that have configured everything properly, and to illustrate this I've loaded if_enc(4) on the 11.1 and it does show the traffic for the second gif: Here I ping the targed troublesome host (2 public IPs) from the remote (1 public IP) and the tcpdump is launched on the receiver: ===Cut=== # tcpdump -npi enc0 host 83.222.68.177 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 262144 bytes 12:00:58.218256 (authentic): SPI 0x0c00b77c: IP 188.17.155.29 > 83.222.68.177: ESP(spi=0x0ffc906c,seq=0x14c), length 132 12:00:58.218271 (authentic,confidential): SPI 0x0ffc906c: IP 188.17.155.29 > 83.222.68.177: IP 172.16.0.68 > 172.16.0.67: ICMP echo request, id 24591, seq 121, length 64 (ipip-proto-4) 12:00:59.232761 (authentic): SPI 0x0c00b77c: IP 188.17.155.29 > 83.222.68.177: ESP(spi=0x0ffc906c,seq=0x14d), length 132 12:00:59.232773 (authentic,confidential): SPI 0x0ffc906c: IP 188.17.155.29 > 83.222.68.177: IP 172.16.0.68 > 172.16.0.67: ICMP echo request, id 24591, seq 122, length 64 (ipip-proto-4) ^C 12 packets captured 574 packets received by filter 0 packets dropped by kernel ===Cut=== From this output I conclude that the IPSec is working, since kernel is able to decipher the packets. But for some mysterious reason this traffic isn't showing on the gif(4) (of course I have allowed all the traffic on the enc(4) itself), tcpdump shows nothing. If pinging in the opposite direction, tcpdump shows outgoing packets, enc(4) shows both (remote replies successfully), but once again, there's no incoming packets on the gif(4). There would be a simple answer if I would just misconfigure adressing on the gif(4), but I see no errors: ===Cut=== # ifconfig gif3 gif3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400 ššššššš description: idk2 <---> alamics ššššššš options=80000<LINKSTATE> ššššššš tunnel inet 83.222.68.177 --> 188.17.155.29 ššššššš inet 172.16.0.67 --> 172.16.0.68š netmask 0xffffffff ššššššš nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> ššššššš groups: gif ===Cut=== Since I don't have identical tunnel IP pairs I don't need net.link.gif.parallel_tunnels (right ?),š so my final guess - either there's something around having two tunnels to the same destination or some bug in 11.1. Any ideas ? Eugene.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?30327deb-2d28-90e2-6069-0706f4ea5eee>