Project

General

Profile

Actions

Bug #2993

closed

IPsec in transport mode, tunneled traffic does not flow through enc0

Added by Jim Pingle over 8 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Ermal Luçi
Category:
IPsec
Target version:
Start date:
05/15/2013
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

When using IPsec in transport mode, the arriving packets show as arriving encrypted on the physical interface, but the packets never show up on enc0. However, hey are actually received and processed by the OS, as reply packets are issued and are seen leaving enc0.

This happens on 2.0.x and 2.1.

Because of the way the traffic arrives, the packets never hit pf, so they don't get a state in the inbound direction. Due to that, the usual asymmetric state issues occur: ICMP works once a reply makes a state, same for UDP and other stateless protocols, but TCP is broken unless you manually add a floating rule to pass out traffic with any TCP flags and use sloppy state.

Test VMs are currently setup and available with tunnels to test/debug.

Actions #1

Updated by Jim Pingle over 8 years ago

Per Ermal, I tried setting net.inet.ipsec.filtertunnel=1 but it didn't affect the traffic, it still doesn't show incoming packets on enc0.

Actions #2

Updated by Jim Pingle over 8 years ago

OK, so net.inet.ipsec.filtertunnel=1 does get the traffic to pf, but it does not get it into tcpdump.

To see the traffic in tcpdump, you also need to set net.enc.in.ipsec_bpf_mask=1

Either of those changes may negatively impact the processing of tunneled (not transport mode) traffic, but in cases where there are only transport mode entries being used, it will help.

Actions #3

Updated by Per von Zweigbergk over 8 years ago

Just to note what I have discovered:

When using transport mode, setting the net.inet.ipsec.filtertunnel=1 sysctl does make it possible to filter the inner IPsec traffic and create states based upon it. However, the ruleset being matched is the ruleset on the interface on which the encrypted arrived on, NOT on the IPsec tab! This makes sense if you think about it, but might be a bit unexpected.

Actions #4

Updated by Ermal Luçi over 8 years ago

  • Assignee set to Ermal Luçi

I will take a look at seeing if can make this less tricky.

Actions #5

Updated by Chris Buechler about 8 years ago

  • Target version changed from 2.1 to 2.2
  • Affected Version changed from 2.1 to All

not a regression, pushing to 2.2

Actions #6

Updated by Ermal Luçi about 7 years ago

  • Status changed from New to Feedback

Patch committed.

Needs to be confirmed fixed with newer snapshots.

Actions #7

Updated by Jim Pingle about 7 years ago

  • Status changed from Feedback to Resolved

Seems to work properly now, thanks!

Actions

Also available in: Atom PDF