Bug #2993
closed
IPsec in transport mode, tunneled traffic does not flow through enc0
Added by Jim Pingle over 11 years ago.
Updated about 10 years ago.
Description
When using IPsec in transport mode, the arriving packets show as arriving encrypted on the physical interface, but the packets never show up on enc0. However, hey are actually received and processed by the OS, as reply packets are issued and are seen leaving enc0.
This happens on 2.0.x and 2.1.
Because of the way the traffic arrives, the packets never hit pf, so they don't get a state in the inbound direction. Due to that, the usual asymmetric state issues occur: ICMP works once a reply makes a state, same for UDP and other stateless protocols, but TCP is broken unless you manually add a floating rule to pass out traffic with any TCP flags and use sloppy state.
Test VMs are currently setup and available with tunnels to test/debug.
Per Ermal, I tried setting net.inet.ipsec.filtertunnel=1 but it didn't affect the traffic, it still doesn't show incoming packets on enc0.
OK, so net.inet.ipsec.filtertunnel=1 does get the traffic to pf, but it does not get it into tcpdump.
To see the traffic in tcpdump, you also need to set net.enc.in.ipsec_bpf_mask=1
Either of those changes may negatively impact the processing of tunneled (not transport mode) traffic, but in cases where there are only transport mode entries being used, it will help.
Just to note what I have discovered:
When using transport mode, setting the net.inet.ipsec.filtertunnel=1 sysctl does make it possible to filter the inner IPsec traffic and create states based upon it. However, the ruleset being matched is the ruleset on the interface on which the encrypted arrived on, NOT on the IPsec tab! This makes sense if you think about it, but might be a bit unexpected.
- Assignee set to Ermal Luçi
I will take a look at seeing if can make this less tricky.
- Target version changed from 2.1 to 2.2
- Affected Version changed from 2.1 to All
not a regression, pushing to 2.2
- Status changed from New to Feedback
Patch committed.
Needs to be confirmed fixed with newer snapshots.
- Status changed from Feedback to Resolved
Seems to work properly now, thanks!
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by Ermal Luçi 
Updated by