IPsec filtertunnel broken on FreeBSD 10
Nicolas DEFFAYET
nicolas-ml at deffayet.com
Fri Feb 14 22:35:50 UTC 2014
On Thu, 2014-02-06 at 23:21 +0100, Nicolas DEFFAYET wrote:
Hello,
The IPsec filtertunnel is broken on FreeBSD 10: incoming packets decapsulated are not going to firewall.
> This issue affect 10.0-RELEASE and 10.0-STABLE.
> 9.1-RELEASE and 9.2-RELEASE are not affected.
>
> Of course the systctl show that filtertunnel is enabled:
> net.inet.ipsec.filtertunnel=1
> net.inet6.ipsec.filtertunnel=1
>
> This issue is serious as it's not possible to use firewall (ipfw/pf) for
> secure a gre/gif/l2tp IPsec tunnel as the incoming packets decapsulated
> are not seen by the firewall.
>
> Many peoples have reported the issue on forums.freebsd.org and a bug
> report have been open:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/185876
>
> For try to provide a fix, i have run a diff on kernel source on net,
> netinet, netinet6 and netipsec folders between 9.2-RELEASE and
> 10.0-RELEASE but I didn't have found what change can break IPsec
> filtertunnel.
I have done another couple of tests, please find bellow the traces:
host1 re0 192.168.0.1 <- cable -> re0 192.168.0.2 host2
host1 is running FreeBSD 9.1
host2 is running FreeBSD 10.0
Without IPsec, everywork fine: host1 can ssh host2 and vice versa
Now IPsec is enable on the link beetwen host1 and host2
host1# cat /etc/ipsec.conf
flush;
spdflush;
spdadd 192.168.0.1/32 192.168.0.2/32 any -P out ipsec
esp/tunnel/192.168.0.1-192.168.0.2/require;
spdadd 192.168.0.2/32 192.168.0.1/32 any -P in ipsec
esp/tunnel/192.168.0.2-192.168.0.1/require;
host2# cat /etc/ipsec.conf
flush;
spdflush;
spdadd 192.168.0.2/32 192.168.0.1/32 any -P out ipsec
esp/tunnel/192.168.0.2-192.168.0.1/require;
spdadd 192.168.0.1/32 192.168.0.2/32 any -P in ipsec
esp/tunnel/192.168.0.1-192.168.0.2/require;
pf rules are simple and are set for see packets hitting firewall:
block out log all
block in log all
pass log quick on re0 all
@0 block drop out log all
@1 block drop in log all
@2 pass log quick on re0 all flags S/SA keep state
Same thing can be done with ipfw.
Test n°1: ssh from host1 to host2
Result: FAULT (host 1 can't ssh host 2)
host1 pf log:
Feb 14 21:42:33 host1 pf: 2014-02-14 21:42:32.698532 rule
2..16777216/0(match): pass in on re0: 192.168.0.2 > 192.168.0.1:
192.168.0.2.22 > 192.168.0.1.52431: Flags [S.], seq 3755304488, ack
3847832139, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val
4230148293 ecr 948855914], length 0 (ipip-proto-4)
Feb 14 21:42:33 host1 pf: 2014-02-14 21:42:32.698648 rule
1..16777216/0(match): block in on re0: 192.168.0.2.22 >
192.168.0.1.52431: Flags [S.], seq 3755304488, ack 3847832139, win
65535, options [mss 1460,nop,wscale 6,sackOK,TS val 4230148293 ecr
948855914], length 0
Feb 14 21:42:36 host1 pf: 2014-02-14 21:42:35.698696 rule
1..16777216/0(match): block in on re0: 192.168.0.2.22 >
192.168.0.1.52431: Flags [S.], seq 3755304488, ack 3847832139, win
65535, options [mss 1460,nop,wscale 6,sackOK,TS val 4230148293 ecr
948855914], length 0
host2 pf log:
empty
Test n°2: ssh from host2 to host1
Result: SUCCESS (host2 can ssh host1)
host1 pf log:
Feb 14 21:41:31 host1 pf: 2014-02-14 21:41:30.873695 rule
2..16777216/0(match): pass in on re0: 192.168.0.2.12400 >
192.168.0.1.22: Flags [S], seq 1597516146, win 65535, options [mss
1460,nop,wscale 6,sackOK,TS val 426470902 ecr 0], length 0
host2 pf log:
empty
Test n°3: skip interface test
a) "set skip on re0" (only) on host1
host1 can ssh host2
host2 can ssh host1
b) "set skip on re0" (only) on host2
host1 can't ssh host2
host2 can ssh host1
c) "set skip on re0" on host1 AND host2
host1 can ssh host2
host2 can ssh host1
Test n°4: decapsulated ipsec traffic seen by enc0 (tcpdump -s0 -nvei
enc0)
firewall disabled on host1 and host2
a) host1 ssh host2
host1
22:18:50.969341 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 48946, offset 0, flags [DF], proto TCP (6), length 60, bad cksum
0 (->27bd)!)
192.168.0.1.14756 > 192.168.0.2.22: Flags [S], cksum 0xd778
(correct), seq 2948225374, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 951034185 ecr 0], length 0
22:18:50.969351 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 48947, offset 0, flags [none], proto IPIP (4), length 80, bad
cksum 0 (->67aa)!)
192.168.0.1 > 192.168.0.2: (tos 0x10, ttl 64, id 48946, offset 0,
flags [DF], proto TCP (6), length 60)
192.168.0.1.14756 > 192.168.0.2.22: Flags [S], cksum 0xd778
(correct), seq 2948225374, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 951034185 ecr 0], length 0
22:18:50.969677 (authentic,confidential): SPI 0x09560d48: (tos 0x0, ttl
64, id 25667, offset 0, flags [none], proto IPIP (4), length 80)
192.168.0.2 > 192.168.0.1: (tos 0x0, ttl 64, id 25666, offset 0,
flags [DF], proto TCP (6), length 60)
192.168.0.2.22 > 192.168.0.1.14756: Flags [S.], cksum 0xc1f3
(correct), seq 3114904911, ack 2948225375, win 65535, options [mss
1460,nop,wscale 6,sackOK,TS val 2490767876 ecr 951034185], length 0
22:18:50.969772 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 48948, offset 0, flags [DF], proto TCP (6), length 52, bad cksum
0 (->27c3)!)
192.168.0.1.14756 > 192.168.0.2.22: Flags [.], cksum 0xecae
(correct), ack 1, win 1040, options [nop,nop,TS val 951034185 ecr
2490767876], length 0
22:18:50.969778 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 48949, offset 0, flags [none], proto IPIP (4), length 72, bad
cksum 0 (->67b0)!)
192.168.0.1 > 192.168.0.2: (tos 0x10, ttl 64, id 48948, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.1.14756 > 192.168.0.2.22: Flags [.], cksum 0xecae
(correct), ack 1, win 1040, options [nop,nop,TS val 951034185 ecr
2490767876], length 0
22:18:51.001033 (authentic,confidential): SPI 0x09560d48: (tos 0x0, ttl
64, id 25669, offset 0, flags [none], proto IPIP (4), length 106)
192.168.0.2 > 192.168.0.1: (tos 0x0, ttl 64, id 25668, offset 0,
flags [DF], proto TCP (6), length 86)
192.168.0.2.22 > 192.168.0.1.14756: Flags [P.], cksum 0x7791
(correct), seq 1:35, ack 1, win 1040, options [nop,nop,TS val 2490767907
ecr 951034185], length 34
22:18:51.100989 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 48953, offset 0, flags [DF], proto TCP (6), length 52, bad cksum
0 (->27be)!)
192.168.0.1.14756 > 192.168.0.2.22: Flags [.], cksum 0xebe9
(correct), ack 35, win 1040, options [nop,nop,TS val 951034317 ecr
2490767907], length 0
22:18:51.100996 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 48954, offset 0, flags [none], proto IPIP (4), length 72, bad
cksum 0 (->67ab)!)
192.168.0.1 > 192.168.0.2: (tos 0x10, ttl 64, id 48953, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.1.14756 > 192.168.0.2.22: Flags [.], cksum 0xebe9
(correct), ack 35, win 1040, options [nop,nop,TS val 951034317 ecr
2490767907], length 0
22:18:52.857275 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 49129, offset 0, flags [DF], proto TCP (6), length 58, bad cksum
0 (->2708)!)
192.168.0.1.14756 > 192.168.0.2.22: Flags [P.], cksum 0xfd0b
(correct), seq 1:7, ack 35, win 1040, options [nop,nop,TS val 951036073
ecr 2490767907], length 6
22:18:52.857284 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 49130, offset 0, flags [none], proto IPIP (4), length 78, bad
cksum 0 (->66f5)!)
192.168.0.1 > 192.168.0.2: (tos 0x10, ttl 64, id 49129, offset 0,
flags [DF], proto TCP (6), length 58)
192.168.0.1.14756 > 192.168.0.2.22: Flags [P.], cksum 0xfd0b
(correct), seq 1:7, ack 35, win 1040, options [nop,nop,TS val 951036073
ecr 2490767907], length 6
22:18:52.857728 (authentic,confidential): SPI 0x09560d48: (tos 0x0, ttl
64, id 25693, offset 0, flags [none], proto IPIP (4), length 91)
192.168.0.2 > 192.168.0.1: (tos 0x0, ttl 64, id 25692, offset 0,
flags [DF], proto TCP (6), length 71)
192.168.0.2.22 > 192.168.0.1.14756: Flags [P.], cksum 0x6121
(correct), seq 35:54, ack 7, win 1040, options [nop,nop,TS val
2490769764 ecr 951036073], length 19
22:18:52.857763 (authentic,confidential): SPI 0x09560d48: (tos 0x0, ttl
64, id 25695, offset 0, flags [none], proto IPIP (4), length 72)
192.168.0.2 > 192.168.0.1: (tos 0x0, ttl 64, id 25694, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.2.22 > 192.168.0.1.14756: Flags [F.], cksum 0xddb2
(correct), seq 54, ack 7, win 1040, options [nop,nop,TS val 2490769764
ecr 951036073], length 0
22:18:52.857850 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 49131, offset 0, flags [DF], proto TCP (6), length 52, bad cksum
0 (->270c)!)
192.168.0.1.14756 > 192.168.0.2.22: Flags [.], cksum 0xddb2
(correct), ack 55, win 1040, options [nop,nop,TS val 951036073 ecr
2490769764], length 0
22:18:52.857857 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 49132, offset 0, flags [none], proto IPIP (4), length 72, bad
cksum 0 (->66f9)!)
192.168.0.1 > 192.168.0.2: (tos 0x10, ttl 64, id 49131, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.1.14756 > 192.168.0.2.22: Flags [.], cksum 0xddb2
(correct), ack 55, win 1040, options [nop,nop,TS val 951036073 ecr
2490769764], length 0
22:18:52.858107 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 49134, offset 0, flags [DF], proto TCP (6), length 52, bad cksum
0 (->2709)!)
192.168.0.1.14756 > 192.168.0.2.22: Flags [F.], cksum 0xddb0
(correct), seq 7, ack 55, win 1040, options [nop,nop,TS val 951036074
ecr 2490769764], length 0
22:18:52.858115 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 49135, offset 0, flags [none], proto IPIP (4), length 72, bad
cksum 0 (->66f6)!)
192.168.0.1 > 192.168.0.2: (tos 0x10, ttl 64, id 49134, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.1.14756 > 192.168.0.2.22: Flags [F.], cksum 0xddb0
(correct), seq 7, ack 55, win 1040, options [nop,nop,TS val 951036074
ecr 2490769764], length 0
22:18:52.858412 (authentic,confidential): SPI 0x09560d48: (tos 0x0, ttl
64, id 25697, offset 0, flags [none], proto IPIP (4), length 72)
192.168.0.2 > 192.168.0.1: (tos 0x0, ttl 64, id 25696, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.2.22 > 192.168.0.1.14756: Flags [.], cksum 0xddaf
(correct), ack 8, win 1040, options [nop,nop,TS val 2490769765 ecr
951036074], length 0
host2
22:18:56.095556 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 48947, offset 0, flags [none], proto IPIP (4), length 80)
192.168.0.1 > 192.168.0.2: (tos 0x10, ttl 64, id 48946, offset 0,
flags [DF], proto TCP (6), length 60)
192.168.0.1.14756 > 192.168.0.2.22: Flags [S], cksum 0xd778
(correct), seq 2948225374, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 951034185 ecr 0], length 0
22:18:56.095661 (authentic,confidential): SPI 0x09560d48: (tos 0x0, ttl
64, id 25666, offset 0, flags [DF], proto TCP (6), length 60, bad cksum
0 (->82bd)!)
192.168.0.2.22 > 192.168.0.1.14756: Flags [S.], cksum 0xc1f3
(correct), seq 3114904911, ack 2948225375, win 65535, options [mss
1460,nop,wscale 6,sackOK,TS val 2490767876 ecr 951034185], length 0
22:18:56.095669 (authentic,confidential): SPI 0x09560d48: (tos 0x0, ttl
64, id 25667, offset 0, flags [none], proto IPIP (4), length 80, bad
cksum 0 (->c2aa)!)
192.168.0.2 > 192.168.0.1: (tos 0x0, ttl 64, id 25666, offset 0,
flags [DF], proto TCP (6), length 60)
192.168.0.2.22 > 192.168.0.1.14756: Flags [S.], cksum 0xc1f3
(correct), seq 3114904911, ack 2948225375, win 65535, options [mss
1460,nop,wscale 6,sackOK,TS val 2490767876 ecr 951034185], length 0
22:18:56.095963 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 48949, offset 0, flags [none], proto IPIP (4), length 72)
192.168.0.1 > 192.168.0.2: (tos 0x10, ttl 64, id 48948, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.1.14756 > 192.168.0.2.22: Flags [.], cksum 0xecae
(correct), ack 1, win 1040, options [nop,nop,TS val 951034185 ecr
2490767876], length 0
22:18:56.126975 (authentic,confidential): SPI 0x09560d48: (tos 0x0, ttl
64, id 25668, offset 0, flags [DF], proto TCP (6), length 86, bad cksum
0 (->82a1)!)
192.168.0.2.22 > 192.168.0.1.14756: Flags [P.], cksum 0x7791
(correct), seq 1:35, ack 1, win 1040, options [nop,nop,TS val 2490767907
ecr 951034185], length 34
22:18:56.126986 (authentic,confidential): SPI 0x09560d48: (tos 0x0, ttl
64, id 25669, offset 0, flags [none], proto IPIP (4), length 106, bad
cksum 0 (->c28e)!)
192.168.0.2 > 192.168.0.1: (tos 0x0, ttl 64, id 25668, offset 0,
flags [DF], proto TCP (6), length 86)
192.168.0.2.22 > 192.168.0.1.14756: Flags [P.], cksum 0x7791
(correct), seq 1:35, ack 1, win 1040, options [nop,nop,TS val 2490767907
ecr 951034185], length 34
22:18:56.227206 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 48954, offset 0, flags [none], proto IPIP (4), length 72)
192.168.0.1 > 192.168.0.2: (tos 0x10, ttl 64, id 48953, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.1.14756 > 192.168.0.2.22: Flags [.], cksum 0xebe9
(correct), ack 35, win 1040, options [nop,nop,TS val 951034317 ecr
2490767907], length 0
22:18:57.983478 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 49130, offset 0, flags [none], proto IPIP (4), length 78)
192.168.0.1 > 192.168.0.2: (tos 0x10, ttl 64, id 49129, offset 0,
flags [DF], proto TCP (6), length 58)
192.168.0.1.14756 > 192.168.0.2.22: Flags [P.], cksum 0xfd0b
(correct), seq 1:7, ack 35, win 1040, options [nop,nop,TS val 951036073
ecr 2490767907], length 6
22:18:57.983671 (authentic,confidential): SPI 0x09560d48: (tos 0x0, ttl
64, id 25692, offset 0, flags [DF], proto TCP (6), length 71, bad cksum
0 (->8298)!)
192.168.0.2.22 > 192.168.0.1.14756: Flags [P.], cksum 0x6121
(correct), seq 35:54, ack 7, win 1040, options [nop,nop,TS val
2490769764 ecr 951036073], length 19
22:18:57.983680 (authentic,confidential): SPI 0x09560d48: (tos 0x0, ttl
64, id 25693, offset 0, flags [none], proto IPIP (4), length 91, bad
cksum 0 (->c285)!)
192.168.0.2 > 192.168.0.1: (tos 0x0, ttl 64, id 25692, offset 0,
flags [DF], proto TCP (6), length 71)
192.168.0.2.22 > 192.168.0.1.14756: Flags [P.], cksum 0x6121
(correct), seq 35:54, ack 7, win 1040, options [nop,nop,TS val
2490769764 ecr 951036073], length 19
22:18:57.983750 (authentic,confidential): SPI 0x09560d48: (tos 0x0, ttl
64, id 25694, offset 0, flags [DF], proto TCP (6), length 52, bad cksum
0 (->82a9)!)
192.168.0.2.22 > 192.168.0.1.14756: Flags [F.], cksum 0xddb2
(correct), seq 54, ack 7, win 1040, options [nop,nop,TS val 2490769764
ecr 951036073], length 0
22:18:57.983756 (authentic,confidential): SPI 0x09560d48: (tos 0x0, ttl
64, id 25695, offset 0, flags [none], proto IPIP (4), length 72, bad
cksum 0 (->c296)!)
192.168.0.2 > 192.168.0.1: (tos 0x0, ttl 64, id 25694, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.2.22 > 192.168.0.1.14756: Flags [F.], cksum 0xddb2
(correct), seq 54, ack 7, win 1040, options [nop,nop,TS val 2490769764
ecr 951036073], length 0
22:18:57.984023 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 49132, offset 0, flags [none], proto IPIP (4), length 72)
192.168.0.1 > 192.168.0.2: (tos 0x10, ttl 64, id 49131, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.1.14756 > 192.168.0.2.22: Flags [.], cksum 0xddb2
(correct), ack 55, win 1040, options [nop,nop,TS val 951036073 ecr
2490769764], length 0
22:18:57.984282 (authentic,confidential): SPI 0x0377065e: (tos 0x10, ttl
64, id 49135, offset 0, flags [none], proto IPIP (4), length 72)
192.168.0.1 > 192.168.0.2: (tos 0x10, ttl 64, id 49134, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.1.14756 > 192.168.0.2.22: Flags [F.], cksum 0xddb0
(correct), seq 7, ack 55, win 1040, options [nop,nop,TS val 951036074
ecr 2490769764], length 0
22:18:57.984375 (authentic,confidential): SPI 0x09560d48: (tos 0x0, ttl
64, id 25696, offset 0, flags [DF], proto TCP (6), length 52, bad cksum
0 (->82a7)!)
192.168.0.2.22 > 192.168.0.1.14756: Flags [.], cksum 0xddaf
(correct), ack 8, win 1040, options [nop,nop,TS val 2490769765 ecr
951036074], length 0
22:18:57.984384 (authentic,confidential): SPI 0x09560d48: (tos 0x0, ttl
64, id 25697, offset 0, flags [none], proto IPIP (4), length 72, bad
cksum 0 (->c294)!)
192.168.0.2 > 192.168.0.1: (tos 0x0, ttl 64, id 25696, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.2.22 > 192.168.0.1.14756: Flags [.], cksum 0xddaf
(correct), ack 8, win 1040, options [nop,nop,TS val 2490769765 ecr
951036074], length 0
b) host2 ssh host1
host1
22:24:46.905154 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26901, offset 0, flags [none], proto IPIP (4), length 80)
192.168.0.2 > 192.168.0.1: (tos 0x10, ttl 64, id 26900, offset 0,
flags [DF], proto TCP (6), length 60)
192.168.0.2.16622 > 192.168.0.1.22: Flags [S], cksum 0xa6a1
(correct), seq 3695971359, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 429066912 ecr 0], length 0
22:24:46.905247 (authentic,confidential): SPI 0x098f7487: (tos 0x0, ttl
64, id 57083, offset 0, flags [DF], proto TCP (6), length 60, bad cksum
0 (->804)!)
192.168.0.1.22 > 192.168.0.2.16622: Flags [S.], cksum 0x1975
(correct), seq 548844, ack 3695971360, win 65535, options [mss
1460,nop,wscale 6,sackOK,TS val 999551379 ecr 429066912], length 0
22:24:46.905255 (authentic,confidential): SPI 0x098f7487: (tos 0x0, ttl
64, id 57084, offset 0, flags [none], proto IPIP (4), length 80, bad
cksum 0 (->47f1)!)
192.168.0.1 > 192.168.0.2: (tos 0x0, ttl 64, id 57083, offset 0,
flags [DF], proto TCP (6), length 60)
192.168.0.1.22 > 192.168.0.2.16622: Flags [S.], cksum 0x1975
(correct), seq 548844, ack 3695971360, win 65535, options [mss
1460,nop,wscale 6,sackOK,TS val 999551379 ecr 429066912], length 0
22:24:46.905568 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26903, offset 0, flags [none], proto IPIP (4), length 72)
192.168.0.2 > 192.168.0.1: (tos 0x10, ttl 64, id 26902, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.2.16622 > 192.168.0.1.22: Flags [.], cksum 0x4430
(correct), ack 1, win 1040, options [nop,nop,TS val 429066912 ecr
999551379], length 0
22:24:46.930514 (authentic,confidential): SPI 0x098f7487: (tos 0x0, ttl
64, id 57085, offset 0, flags [DF], proto TCP (6), length 101, bad cksum
0 (->7d9)!)
192.168.0.1.22 > 192.168.0.2.16622: Flags [P.], cksum 0xce26
(correct), seq 1:50, ack 1, win 1040, options [nop,nop,TS val 999551404
ecr 429066912], length 49
22:24:46.930523 (authentic,confidential): SPI 0x098f7487: (tos 0x0, ttl
64, id 57086, offset 0, flags [none], proto IPIP (4), length 121, bad
cksum 0 (->47c6)!)
192.168.0.1 > 192.168.0.2: (tos 0x0, ttl 64, id 57085, offset 0,
flags [DF], proto TCP (6), length 101)
192.168.0.1.22 > 192.168.0.2.16622: Flags [P.], cksum 0xce26
(correct), seq 1:50, ack 1, win 1040, options [nop,nop,TS val 999551404
ecr 429066912], length 49
22:24:47.030842 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26907, offset 0, flags [none], proto IPIP (4), length 72)
192.168.0.2 > 192.168.0.1: (tos 0x10, ttl 64, id 26906, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.2.16622 > 192.168.0.1.22: Flags [.], cksum 0x4368
(correct), ack 50, win 1040, options [nop,nop,TS val 429067038 ecr
999551404], length 0
22:24:48.537355 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26937, offset 0, flags [none], proto IPIP (4), length 78)
192.168.0.2 > 192.168.0.1: (tos 0x10, ttl 64, id 26936, offset 0,
flags [DF], proto TCP (6), length 58)
192.168.0.2.16622 > 192.168.0.1.22: Flags [P.], cksum 0x5584
(correct), seq 1:7, ack 50, win 1040, options [nop,nop,TS val 429068544
ecr 999551404], length 6
22:24:48.537551 (authentic,confidential): SPI 0x098f7487: (tos 0x0, ttl
64, id 57171, offset 0, flags [DF], proto TCP (6), length 71, bad cksum
0 (->7a1)!)
192.168.0.1.22 > 192.168.0.2.16622: Flags [P.], cksum 0xba93
(correct), seq 50:69, ack 7, win 1040, options [nop,nop,TS val 999553011
ecr 429068544], length 19
22:24:48.537559 (authentic,confidential): SPI 0x098f7487: (tos 0x0, ttl
64, id 57172, offset 0, flags [none], proto IPIP (4), length 91, bad
cksum 0 (->478e)!)
192.168.0.1 > 192.168.0.2: (tos 0x0, ttl 64, id 57171, offset 0,
flags [DF], proto TCP (6), length 71)
192.168.0.1.22 > 192.168.0.2.16622: Flags [P.], cksum 0xba93
(correct), seq 50:69, ack 7, win 1040, options [nop,nop,TS val 999553011
ecr 429068544], length 19
22:24:48.537618 (authentic,confidential): SPI 0x098f7487: (tos 0x0, ttl
64, id 57173, offset 0, flags [DF], proto TCP (6), length 52, bad cksum
0 (->7b2)!)
192.168.0.1.22 > 192.168.0.2.16622: Flags [F.], cksum 0x3725
(correct), seq 69, ack 7, win 1040, options [nop,nop,TS val 999553011
ecr 429068544], length 0
22:24:48.537623 (authentic,confidential): SPI 0x098f7487: (tos 0x0, ttl
64, id 57174, offset 0, flags [none], proto IPIP (4), length 72, bad
cksum 0 (->479f)!)
192.168.0.1 > 192.168.0.2: (tos 0x0, ttl 64, id 57173, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.1.22 > 192.168.0.2.16622: Flags [F.], cksum 0x3725
(correct), seq 69, ack 7, win 1040, options [nop,nop,TS val 999553011
ecr 429068544], length 0
22:24:48.537930 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26939, offset 0, flags [none], proto IPIP (4), length 72)
192.168.0.2 > 192.168.0.1: (tos 0x10, ttl 64, id 26938, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.2.16622 > 192.168.0.1.22: Flags [.], cksum 0x3724
(correct), ack 70, win 1040, options [nop,nop,TS val 429068545 ecr
999553011], length 0
22:24:48.538116 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26942, offset 0, flags [none], proto IPIP (4), length 72)
192.168.0.2 > 192.168.0.1: (tos 0x10, ttl 64, id 26941, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.2.16622 > 192.168.0.1.22: Flags [F.], cksum 0x3723
(correct), seq 7, ack 70, win 1040, options [nop,nop,TS val 429068545
ecr 999553011], length 0
22:24:48.538187 (authentic,confidential): SPI 0x098f7487: (tos 0x0, ttl
64, id 57175, offset 0, flags [DF], proto TCP (6), length 52, bad cksum
0 (->7b0)!)
192.168.0.1.22 > 192.168.0.2.16622: Flags [.], cksum 0x3722
(correct), ack 8, win 1040, options [nop,nop,TS val 999553012 ecr
429068545], length 0
22:24:48.538206 (authentic,confidential): SPI 0x098f7487: (tos 0x0, ttl
64, id 57176, offset 0, flags [none], proto IPIP (4), length 72, bad
cksum 0 (->479d)!)
192.168.0.1 > 192.168.0.2: (tos 0x0, ttl 64, id 57175, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.1.22 > 192.168.0.2.16622: Flags [.], cksum 0x3722
(correct), ack 8, win 1040, options [nop,nop,TS val 999553012 ecr
429068545], length 0
host2
22:24:52.028268 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26900, offset 0, flags [DF], proto TCP (6), length 60, bad cksum
0 (->7ddb)!)
192.168.0.2.16622 > 192.168.0.1.22: Flags [S], cksum 0xa6a1
(correct), seq 3695971359, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 429066912 ecr 0], length 0
22:24:52.028281 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26901, offset 0, flags [none], proto IPIP (4), length 80, bad
cksum 0 (->bdc8)!)
192.168.0.2 > 192.168.0.1: (tos 0x10, ttl 64, id 26900, offset 0,
flags [DF], proto TCP (6), length 60)
192.168.0.2.16622 > 192.168.0.1.22: Flags [S], cksum 0xa6a1
(correct), seq 3695971359, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 429066912 ecr 0], length 0
22:24:52.028603 (authentic,confidential): SPI 0x098f7487: (tos 0x0, ttl
64, id 57084, offset 0, flags [none], proto IPIP (4), length 80)
192.168.0.1 > 192.168.0.2: (tos 0x0, ttl 64, id 57083, offset 0,
flags [DF], proto TCP (6), length 60)
192.168.0.1.22 > 192.168.0.2.16622: Flags [S.], cksum 0x1975
(correct), seq 548844, ack 3695971360, win 65535, options [mss
1460,nop,wscale 6,sackOK,TS val 999551379 ecr 429066912], length 0
22:24:52.028719 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26902, offset 0, flags [DF], proto TCP (6), length 52, bad cksum
0 (->7de1)!)
192.168.0.2.16622 > 192.168.0.1.22: Flags [.], cksum 0x4430
(correct), ack 1, win 1040, options [nop,nop,TS val 429066912 ecr
999551379], length 0
22:24:52.028728 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26903, offset 0, flags [none], proto IPIP (4), length 72, bad
cksum 0 (->bdce)!)
192.168.0.2 > 192.168.0.1: (tos 0x10, ttl 64, id 26902, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.2.16622 > 192.168.0.1.22: Flags [.], cksum 0x4430
(correct), ack 1, win 1040, options [nop,nop,TS val 429066912 ecr
999551379], length 0
22:24:52.053884 (authentic,confidential): SPI 0x098f7487: (tos 0x0, ttl
64, id 57086, offset 0, flags [none], proto IPIP (4), length 121)
192.168.0.1 > 192.168.0.2: (tos 0x0, ttl 64, id 57085, offset 0,
flags [DF], proto TCP (6), length 101)
192.168.0.1.22 > 192.168.0.2.16622: Flags [P.], cksum 0xce26
(correct), seq 1:50, ack 1, win 1040, options [nop,nop,TS val 999551404
ecr 429066912], length 49
22:24:52.153958 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26906, offset 0, flags [DF], proto TCP (6), length 52, bad cksum
0 (->7ddd)!)
192.168.0.2.16622 > 192.168.0.1.22: Flags [.], cksum 0x4368
(correct), ack 50, win 1040, options [nop,nop,TS val 429067038 ecr
999551404], length 0
22:24:52.153968 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26907, offset 0, flags [none], proto IPIP (4), length 72, bad
cksum 0 (->bdca)!)
192.168.0.2 > 192.168.0.1: (tos 0x10, ttl 64, id 26906, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.2.16622 > 192.168.0.1.22: Flags [.], cksum 0x4368
(correct), ack 50, win 1040, options [nop,nop,TS val 429067038 ecr
999551404], length 0
22:24:53.660457 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26936, offset 0, flags [DF], proto TCP (6), length 58, bad cksum
0 (->7db9)!)
192.168.0.2.16622 > 192.168.0.1.22: Flags [P.], cksum 0x5584
(correct), seq 1:7, ack 50, win 1040, options [nop,nop,TS val 429068544
ecr 999551404], length 6
22:24:53.660466 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26937, offset 0, flags [none], proto IPIP (4), length 78, bad
cksum 0 (->bda6)!)
192.168.0.2 > 192.168.0.1: (tos 0x10, ttl 64, id 26936, offset 0,
flags [DF], proto TCP (6), length 58)
192.168.0.2.16622 > 192.168.0.1.22: Flags [P.], cksum 0x5584
(correct), seq 1:7, ack 50, win 1040, options [nop,nop,TS val 429068544
ecr 999551404], length 6
22:24:53.660903 (authentic,confidential): SPI 0x098f7487: (tos 0x0, ttl
64, id 57172, offset 0, flags [none], proto IPIP (4), length 91)
192.168.0.1 > 192.168.0.2: (tos 0x0, ttl 64, id 57171, offset 0,
flags [DF], proto TCP (6), length 71)
192.168.0.1.22 > 192.168.0.2.16622: Flags [P.], cksum 0xba93
(correct), seq 50:69, ack 7, win 1040, options [nop,nop,TS val 999553011
ecr 429068544], length 19
22:24:53.660947 (authentic,confidential): SPI 0x098f7487: (tos 0x0, ttl
64, id 57174, offset 0, flags [none], proto IPIP (4), length 72)
192.168.0.1 > 192.168.0.2: (tos 0x0, ttl 64, id 57173, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.1.22 > 192.168.0.2.16622: Flags [F.], cksum 0x3725
(correct), seq 69, ack 7, win 1040, options [nop,nop,TS val 999553011
ecr 429068544], length 0
22:24:53.661048 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26938, offset 0, flags [DF], proto TCP (6), length 52, bad cksum
0 (->7dbd)!)
192.168.0.2.16622 > 192.168.0.1.22: Flags [.], cksum 0x3724
(correct), ack 70, win 1040, options [nop,nop,TS val 429068545 ecr
999553011], length 0
22:24:53.661055 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26939, offset 0, flags [none], proto IPIP (4), length 72, bad
cksum 0 (->bdaa)!)
192.168.0.2 > 192.168.0.1: (tos 0x10, ttl 64, id 26938, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.2.16622 > 192.168.0.1.22: Flags [.], cksum 0x3724
(correct), ack 70, win 1040, options [nop,nop,TS val 429068545 ecr
999553011], length 0
22:24:53.661244 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26941, offset 0, flags [DF], proto TCP (6), length 52, bad cksum
0 (->7dba)!)
192.168.0.2.16622 > 192.168.0.1.22: Flags [F.], cksum 0x3723
(correct), seq 7, ack 70, win 1040, options [nop,nop,TS val 429068545
ecr 999553011], length 0
22:24:53.661253 (authentic,confidential): SPI 0x0d865338: (tos 0x10, ttl
64, id 26942, offset 0, flags [none], proto IPIP (4), length 72, bad
cksum 0 (->bda7)!)
192.168.0.2 > 192.168.0.1: (tos 0x10, ttl 64, id 26941, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.2.16622 > 192.168.0.1.22: Flags [F.], cksum 0x3723
(correct), seq 7, ack 70, win 1040, options [nop,nop,TS val 429068545
ecr 999553011], length 0
22:24:53.661541 (authentic,confidential): SPI 0x098f7487: (tos 0x0, ttl
64, id 57176, offset 0, flags [none], proto IPIP (4), length 72)
192.168.0.1 > 192.168.0.2: (tos 0x0, ttl 64, id 57175, offset 0,
flags [DF], proto TCP (6), length 52)
192.168.0.1.22 > 192.168.0.2.16622: Flags [.], cksum 0x3722
(correct), ack 8, win 1040, options [nop,nop,TS val 999553012 ecr
429068545], length 0
For recall
- decapsulated ipsec traffic are seen by enc0 (tcpdump -s0 -nvei enc0)
- sysctl are default one and are the same on host1 and host2
net.enc.in.ipsec_bpf_mask: 1
net.enc.in.ipsec_filter_mask: 1
net.enc.out.ipsec_bpf_mask: 3
net.enc.out.ipsec_filter_mask: 1
Any one know why there is a difference between FreeBSD 9.x and 10.x ?
There is no major change in sys/netipsec, so something should be broken
in sys/net or sys/netinet but i don't know what and how find this.
How debug this ? Is it possible to see if the packet is pushed to pfil
and to pf/ipfw ?
Is it true or not that if a decapsulated ipsec packet is seen by enc0,
this don't confirm that the packet have been received by pf/ipfw ?
Many thanks for your help.
--
Nicolas DEFFAYET
More information about the freebsd-net
mailing list