kern/143593: [ipsec] When using IPSec, tcpdump doesn't show
outgoing packets on gif interface
Bjoern A. Zeeb
bz at FreeBSD.org
Sat Feb 6 22:05:08 UTC 2010
On Sat, 6 Feb 2010, Eugene Grosbein wrote:
Hi Eugene,
> The following reply was made to PR kern/143593; it has been noted by GNATS.
>
> From: Eugene Grosbein <eugen at grosbein.pp.ru>
> To: Vadim Fedorenko <junk at fromru.com>
> Cc: bug-followup at freebsd.org
> Subject: Re: kern/143593: [ipsec] When using IPSec, tcpdump doesn't show outgoing
> packets on gif interface
> Date: Sat, 06 Feb 2010 13:21:37 +0700
>
> Hi!
>
> This is not a bug but some misunderstanding how IPSEC tunnel mode works.
> You need not use gif tunnel and IPSEC tunnel at once.
But still you could for various reasons.
> You should use IPSEC transport mode with gif or IPSEC tunnel mode
> without gif.
>
> In fact, for IPSEC tunnel mode your kernel encrypts and encapsulates
> outgoing packets
> before it chooses outgoing interface. And IPSEC-encapsulated packet already
> has B.B.B.B as destination IP so it is not routed to your gif-tunnel.
> Instead, it is routed to your real network interface, therefore tcpdump
> -i gif0 does not show it.
>
> Just change your IPSEC configuration to transport mode
> keeping your gif configuration unchanged.
> Then outgoing packets will be routed to gif0 by means of routing table
> (and not by IPSEC tunnel mode config) and tcpdump will show them.
> Gif tunnel will encapsulate them and only then they will be encrypted
> with IPSEC and sent.
>
> I suggest this PR be closed. Please ask this type of questions in the
> lists first.
While what you say ist best practise and will mitigate the problem, there is
a known problem here nonetheless.
I think kern/121642 was one of the original submissions and this
should be marked as a duplicate and possibly migrated there. There
are more slightly similar problems reported (kern/110959, ...)
I think similar strange results might be seen if stacking gif and gre
w/o IPsec (or maybe it was gif in gif).
--
Bjoern A. Zeeb It will not break if you know what you are doing.
More information about the freebsd-net
mailing list