kern/143593: [ipsec] When using IPSec, tcpdump doesn't show outgoing packets on gif interface

Bjoern A. Zeeb bz at FreeBSD.org
Sat Feb 6 22:10:04 UTC 2010 

The following reply was made to PR kern/143593; it has been noted by GNATS.

From: "Bjoern A. Zeeb" <bz at FreeBSD.org>
To: Eugene Grosbein <eugen at grosbein.pp.ru>
Cc: freebsd-net at FreeBSD.org, bug-followup at FreeBSD.org, junk at fromru.com
Subject: Re: kern/143593: [ipsec] When using IPSec, tcpdump doesn't show
 outgoing packets on gif interface
Date: Sat, 6 Feb 2010 22:02:01 +0000 (UTC)

 On Sat, 6 Feb 2010, Eugene Grosbein wrote:
 
 Hi Eugene,
 
 > The following reply was made to PR kern/143593; it has been noted by GNATS.
 >
 > From: Eugene Grosbein <eugen at grosbein.pp.ru>
 > To: Vadim Fedorenko <junk at fromru.com>
 > Cc: bug-followup at freebsd.org
 > Subject: Re: kern/143593: [ipsec] When using IPSec, tcpdump doesn't show outgoing
 > packets on gif interface
 > Date: Sat, 06 Feb 2010 13:21:37 +0700
 >
 > Hi!
 >
 > This is not a bug but some misunderstanding how IPSEC tunnel mode works.
 > You need not use gif tunnel and IPSEC tunnel at once.
 
 But still you could for various reasons.
 
 > You should use IPSEC transport mode with gif or IPSEC tunnel mode
 > without gif.
 >
 > In fact, for IPSEC tunnel mode your kernel encrypts and encapsulates
 > outgoing packets
 > before it chooses outgoing interface. And IPSEC-encapsulated packet already
 > has B.B.B.B as destination IP so it is not routed to your gif-tunnel.
 > Instead, it is routed to your real network interface, therefore tcpdump
 > -i gif0 does not show it.
 >
 > Just  change your IPSEC configuration to transport mode
 > keeping your gif configuration unchanged.
 > Then outgoing packets will be routed to gif0 by means of routing table
 > (and not by IPSEC tunnel mode config) and tcpdump will show them.
 > Gif tunnel will encapsulate them and only then they will be encrypted
 > with IPSEC and sent.
 >
 > I suggest this PR be closed. Please ask this type of questions in the
 > lists first.
 
 
 While what you say ist best practise and will mitigate the problem, there is
 a known problem here nonetheless.
 
 I think kern/121642 was one of the original submissions and this
 should be marked as a duplicate and possibly migrated there.  There
 are more slightly similar problems reported (kern/110959, ...)
 
 I think similar strange results might be seen if stacking gif and gre
 w/o IPsec (or maybe it was gif in gif).
 
 -- 
 Bjoern A. Zeeb         It will not break if you know what you are doing.

More information about the freebsd-net mailing list