kern/147894: IPv6-in-IPv4 does not work inside an ESP-only IPsec tunnel

Alex alex323 at gmail.com
Tue Jun 15 23:20:01 UTC 2010 

	Note: There was a bad value `severe' for the field `>Severity:'.
	It was set to the default value of `serious'.


>Number:         147894
>Category:       kern
>Synopsis:       IPv6-in-IPv4 does not work inside an ESP-only IPsec tunnel
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 15 23:20:00 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Alex
>Release:        FreeBSD 8.1-PRERELEASE amd64
>Organization:
>Environment:
System: FreeBSD orion 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #4: Sun Jun
13 20:18:56 EDT 2010 alex at orion:/usr/obj/usr/src/sys/ORION amd64

>Description:
I have my gif interface set-up as follows:

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
	tunnel inet a.a.a.a --> b.b.b.b
	inet6 ::c prefixlen 64

...and the opposite on the other end. The IPsec mode is tunnel, and
one computer is behind NAT (the packets are all forwarded properly).
Moreover, AH is not enabled... just ESP. The configuration I have just
described works correctly when the internal addresses are IPv4. However
when they are IPv6, the actual packets I try to send do not get sent.
More specifically, no outgoing ESP packets appear in wireshark at all.

Again to reiterate: This exact same setup works when the internal tunnel
addresses are IPv4. I do not feel that the problem is racoon2, because
the keys are successfully negotiated, as shown below:

local-ipv4-address remote-ipv4-address
	esp mode=tunnel spi=256424725(0x0f48bb15) reqid=0(0x00000000)
	E: rijndael-cbc  43932af0 a2ebdf0e 9ed8eb89 3b4f9725 3f1874d3
	87a7afad cbcc7e3f dc028a40

	A: hmac-sha2-512  38645b32 3deafb39 45b01b66 58015299 a730a96a
	f5fac1c2 ae87348d 2fe3c181 b22a4b80 a6ccdbc0 b3ae5125 cb5e4849
	19e51766 21d0c773 343c6a64 52058686 seq=0x00000000 replay=64
	flags=0x00000000 state=mature created: Jun 15 19:00:32 2010
	current: Jun 15 19:02:08 2010 diff: 96(s)	hard: 14400(s)
	soft: 12814(s) last:                     	hard: 0(s)
	soft: 0(s) current: 0(bytes)	hard: 0(bytes)	soft:
	0(bytes) allocated: 0	hard: 0	soft: 0 sadb_seq=1
	pid=34759 refcnt=2

remote-ipv4-address local-ipv4-address
	esp mode=tunnel spi=23667040(0x01692160) reqid=0(0x00000000)
	E: rijndael-cbc  902fb88f fd628086 a914db5e 594cad58 3bad517a
	9153b5ee 1e57c579 f8bff311

	A: hmac-sha2-512  587cb5ff 6caf0da4 bbb2ecad 056fb008 c362fc69
	70be67b2 29a484a9 4df8e5c9 7cb52ac6 c37fc674 8d896722 b1e7ee6b
	d6c0ef7b 2a815807 7bb394ae 1ba4b294 seq=0x00000000 replay=64
	flags=0x00000000 state=mature created: Jun 15 19:00:32 2010
	current: Jun 15 19:02:08 2010 diff: 96(s)	hard: 14400(s)
	soft: 11544(s) last:                     	hard: 0(s)
	soft: 0(s) current: 0(bytes)	hard: 0(bytes)	soft:
	0(bytes) allocated: 0	hard: 0	soft: 0 sadb_seq=0
	pid=34759 refcnt=1

IPSEC_NAT_T is enabled in both kernels.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list