kern/101400: some packets do not pass through IPSEC tunnel

Alexander Shkurko read at
Sat Aug 5 09:10:14 UTC 2006

>Number:         101400
>Category:       kern
>Synopsis:       some packets do not pass through IPSEC tunnel
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 05 09:10:12 GMT 2006
>Originator:     Alexander Shkurko
>Release:        FreeBSD 6.1
FreeBSD 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Wed May 31 15:49:03 UTC 2006     xxxxxxxxx at  i386
Problem appear when FreeBSd 5.2.1 was changed to FreeBSD 6.1 (not upgrade, change)
Use IPSEC in tunnel mode.
When ESP packet is fragmented and second part of packet is 24 bytes, packet dropped at remote side of tunnel.If size of second part of fragmented ESP packet is more or less size, packet pass. I test this in defferent servers in different countries with different pairs of servers.  i found that affected with problem: 
FreeBSD 6.1 with FreeBSD 6.1
FreeBSD 6.1 with FreeBSD 5.2.1

FreeBSD 5.2.1 with FreeBSD 5.2.1 not affected 

(in al examples configuration of IPSEC tunnel identical. I mean racoon.conf and IPSEC policy in kernel)
If you need some configuration files, i'm ready tо send it 

And finally i show dump.
when  i do 
ping -s 1424 -S 192.168.xx2.250 192.168.xx1.250
i have 
11:53:49.656190 IP (tos 0x0, ttl  57, id 3208, offset 0, flags [+], proto: ESP (50), length: 1500) > ESP(spi=0x08933a69,seq=0x57c8), length 1480
11:53:49.658065 IP (tos 0x0, ttl  57, id 3208, offset 1480, flags [none], proto: ESP (50), length: 24) > esp

Remote side receive ESP packets, but failed to get from it encrypted ICMP packet without any warning, simply dropped it.
Run at one side of tunnel:
ping -s 1424 internal_ip_in_other_side_of_tunnel

In my case size of ICMP packet must to be from 1419 to 1426, if less or more - packet pass.


More information about the freebsd-bugs mailing list