IPsec filtertunnel broken on FreeBSD 10

[Nicolas DEFFAYET]

On Fri, 2014-02-07 at 12:44 +0000, Nicolas DEFFAYET wrote:

Hello Andrey,

Hum, after long time (more than 30 secs), I finish by seeing packets
exchange on FreeBSD 10-RELEASE
13:32:46.135752 (authentic,confidential): SPI 0x06bb885e: IP
ipwan-remote > ipwan-local: GREv0, length 64: IP iptunnel-remote.20044 >
iptunnel-local.22: Flags [S], seq 209981237, win 65535, options [mss
1460,nop,wscale 6,sackOK,TS val 1966114362 ecr 0], length 0
13:32:46.135852 (authentic,confidential): SPI 0x0ebc5f9b: IP ipwan-local
> ipwanremote: GREv0, length 64: IP iptunnel-local.22 >
iptunnel-remote.20044: Flags [S.], seq 2240012658, ack 209981238, win
65535, options [mss 1460,nop,wscale 6,sackOK,TS val 3945107127 ecr
1966114362], length 0

Don't know why it's so long (i use flag -n in tcpdump for disable name
resolution). So peoples don't seeing packets exchange on enc0 are may be
impatient like me.

But the problem is still here, as you can see bellow:

ipfw
00100 allow log logamount 100 ip from any to any via gre3
=> packets not seen by rules100 as nothing in log and nothing in
counters

pf
@0 pass log quick on gre3 all flags S/SA keep state
=> packets not seen by rule 0 as nothing in log and nothing in counters

For generate this packets, I use ICMP echo-ping/echo-reply and a SSH
client-server (TCP 22).

Of course, i have tested to change gre3 to em0 for make sure that ipfw
and pf logging works.


On FreeBSD 10.0-RELEASE
- packets are visible on enc0 in both direction with default net.enc
settings if you are patient
- ipfw don't see the incoming packet as no match
- pf don't see the incoming packet as no match

On FreeBSD 9.1-RELEASE everything work fine with same configuration


Gleb Smirnoff wrote
(http://lists.freebsd.org/pipermail/freebsd-stable/2014-January/076903.html):
"nothing has changed in pf in regards to its ipsec handling"


So the bug _seem_ to be related to ipsec as both ipfw and pf don't see
the packet.


Thanks

-- 
Nicolas DEFFAYET