Project

General

Profile

Bug #7774

No TCP Reply State Established on GRE in IPsec Transport

Added by Chris Linstruth 4 months ago. Updated 12 days ago.

Status:
New
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
08/16/2017
Due date:
% Done:

0%

Affected Version:
2.3.4_1
Affected Architecture:

Description

Reply state not established in pf for TCP connections through GRE tunnel when IPsec transport mode enabled between the GRE endpoints.

GRE-Issue.png (52.2 KB) Chris Linstruth, 08/16/2017 01:39 AM

History

#1 Updated by Chris Linstruth 4 months ago

Disable IPsec Transport on both sides routing over GRE tunnel.

On Host A1:

$ telnet -4 smtp.gmail.com 587
Trying 173.194.202.108...
Connected to gmail-smtp-msa.l.google.com.
Escape character is '^]'.
220 smtp.gmail.com ESMTP z9sm326570pfl.125 - gsmtp

pfSense A
re0 tcp 173.194.202.108:587 <- 172.25.232.227:38800 ESTABLISHED:ESTABLISHED
[1982525214 + 29312] wscale 8 [55123363 + 42497] wscale 7
age 00:00:50, expires in 119:59:10, 3:2 pkts, 164:164 bytes, rule 136
id: 0000000059e51bf7 creatorid: df46ccaa
gre0 tcp 172.25.232.227:38800 -> 173.194.202.108:587 ESTABLISHED:ESTABLISHED
[55123363 + 42497] wscale 7 [1982525214 + 29312] wscale 8
age 00:00:50, expires in 119:59:10, 3:2 pkts, 164:164 bytes, rule 104
id: 0000000059e51bf8 creatorid: df46ccaa

pfSense C
gre0 tcp 173.194.202.108:587 <- 172.25.232.227:38800 ESTABLISHED:ESTABLISHED
[1982525214 + 29312] wscale 8 [55123363 + 42497] wscale 7
age 00:01:25, expires in 23:58:35, 3:2 pkts, 164:164 bytes, rule 86
id: 000000005993d384 creatorid: 2bd5edb5
re1 tcp 172.25.228.232:2233 (172.25.232.227:38800) -> 173.194.202.108:587 ESTABLISHED:ESTABLISHED
[55123363 + 42497] wscale 7 [1982525214 + 29312] wscale 8
age 00:01:25, expires in 23:58:35, 3:2 pkts, 164:164 bytes, rule 77
id: 000000005993d385 creatorid: 2bd5edb5

Skipping ICMP and UDP. They work too.

Enable IPsec Transport on both sides.

pfSense A
con81894: ESTABLISHED 13 seconds ago, 172.25.228.5[172.25.228.5]...172.25.228.232[172.25.228.232]
con81894: IKEv2 SPIs: deb82e851e4ff884_i* 6eb81d836ca81f5b_r, pre-shared key reauthentication in 7 hours
con81894: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
con8{8405}: INSTALLED, TRANSPORT, reqid 657, ESP SPIs: c6721d5c_i c7b5a0c8_o
con8{8405}: AES_CBC_256/HMAC_SHA1_96, 113472 bytes_i (2012 pkts, 0s ago), 214688 bytes_o (2012 pkts, 0s ago), rekeying in 45 minutes
con8{8405}: 172.25.228.5/32|/0 === 172.25.228.232/32|/0

pfSense C
con14: ESTABLISHED 75 seconds ago, 172.25.228.232[172.25.228.232]...172.25.228.5[172.25.228.5]
con14: IKEv2 SPIs: deb82e851e4ff884_i 6eb81d836ca81f5b_r*, pre-shared key reauthentication in 7 hours
con14: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
con1{5}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c7b5a0c8_i c6721d5c_o
con1{5}: AES_CBC_256/HMAC_SHA1_96, 533152 bytes_i (9942 pkts, 1s ago), 1045264 bytes_o (9942 pkts, 1s ago), rekeying in 42 minutes
con1{5}: 172.25.228.232/32|/0 === 172.25.228.5/32|/0

$ ping smtp.gmail.com
PING gmail-smtp-msa.l.google.com (74.125.135.108) 56(84) bytes of data.
64 bytes from pl-in-f108.1e100.net (74.125.135.108): icmp_seq=1 ttl=42 time=38.8 ms
64 bytes from pl-in-f108.1e100.net (74.125.135.108): icmp_seq=2 ttl=42 time=39.0 ms
64 bytes from pl-in-f108.1e100.net (74.125.135.108): icmp_seq=3 ttl=42 time=40.2 ms
64 bytes from pl-in-f108.1e100.net (74.125.135.108): icmp_seq=4 ttl=42 time=57.3 ms

pfSense A
re0 icmp 74.125.135.108:24287 <- 172.25.232.227:24287 0:0
age 00:02:25, expires in 00:00:10, 145:142 pkts, 12180:11928 bytes, rule 136
id: 0000000059e5226b creatorid: a822d69d
gre0 icmp 172.25.232.227:24287 -> 74.125.135.108:24287 0:0
age 00:02:25, expires in 00:00:10, 145:0 pkts, 12180:0 bytes, rule 104
id: 0000000059e5226c creatorid: a822d69d

pfSense C
re1 icmp 172.25.228.232:10941 (172.25.232.227:24287) -> 74.125.135.108:10941 0:0
age 00:02:57, expires in 00:00:10, 178:174 pkts, 14952:14616 bytes, rule 77
id: 000000005993d39d creatorid: 131255b0
gre0 icmp 74.125.135.108:24287 -> 172.25.232.227:24287 0:0
age 00:02:57, expires in 00:00:09, 174:0 pkts, 14616:0 bytes, rule 75
id: 000000005993d39e creatorid: 131255b0

$ dig +short @8.8.8.8 www.google.com
172.217.4.132

pfSense A
re0 udp 8.8.8.8:53 <- 172.25.232.227:43051 SINGLE:MULTIPLE
age 00:00:27, expires in 00:02:03, 1:1 pkts, 71:87 bytes, rule 136
id: 0000000059e526eb creatorid: a822d69d
gre0 udp 172.25.232.227:43051 -> 8.8.8.8:53 SINGLE:NO_TRAFFIC
age 00:00:27, expires in 00:04:33, 1:0 pkts, 71:0 bytes, rule 104
id: 0000000059e526ec creatorid: a822d69d

pfSense C
re1 udp 172.25.228.232:36073 (172.25.232.227:57354) -> 8.8.8.8:53 MULTIPLE:SINGLE
age 00:00:08, expires in 00:00:22, 1:1 pkts, 71:87 bytes, rule 77
id: 000000005993d3ba creatorid: 131255b0
gre0 udp 8.8.8.8:53 -> 172.25.232.227:57354 SINGLE:NO_TRAFFIC
age 00:00:08, expires in 00:00:52, 1:0 pkts, 87:0 bytes, rule 75
id: 000000005993d3bb creatorid: 131255b0

And, finally, the problem...

$ telnet -4 smtp.gmail.com 587
Trying 74.125.28.108...
[no connection]

pfSense A
re0 tcp 74.125.28.108:587 <- 172.25.232.227:58602 CLOSED:SYN_SENT
[0 + 29200] [1044382442 + 1]
age 00:00:31, expires in 00:14:44, 5:0 pkts, 300:0 bytes, rule 136
id: 0000000059e52a5b creatorid: a822d69d
gre0 tcp 172.25.232.227:58602 -> 74.125.28.108:587 SYN_SENT:CLOSED
[1044382442 + 1] [0 + 29200]
age 00:00:31, expires in 00:14:44, 5:0 pkts, 300:0 bytes, rule 104
id: 0000000059e52a5c creatorid: a822d69d

pfSense C
re1 tcp 172.25.228.232:60507 (172.25.232.227:58602) -> 74.125.28.108:587 ESTABLISHED:SYN_SENT
[1044382442 + 42496] wscale 7 [2989914714 + 1305081782] wscale 8
age 00:00:22, expires in 00:00:24, 5:6 pkts, 300:360 bytes, rule 77
id: 000000005993d3c3 creatorid: 131255b0

No state on GRE... Reply traffic gets dropped

#2 Updated by Chris Linstruth 4 months ago

Looks very similar to #6637.

#3 Updated by Chris Linstruth 4 months ago

Updated both VMs to 2.4-BETA. Same behavior.

#4 Updated by Jim Thompson 4 months ago

  • Assignee set to Luiz Souza

#5 Updated by Renato Botelho 3 months ago

  • Target version changed from 2.4.0 to 2.4.1

#6 Updated by Jim Pingle 2 months ago

  • Target version changed from 2.4.1 to 2.4.2

Moving target to 2.4.2 as we need 2.4.1 sooner than anticipated.

#7 Updated by Jim Pingle about 2 months ago

  • Target version changed from 2.4.2 to 2.4.3

#8 Updated by Jorge Albarenque 12 days ago

Is this the same as #4479? Any hopes this can be fixed? I think the other bug report got lost track of.

Also available in: Atom PDF