Bug #7774: No TCP Reply State Established on GRE in IPsec Transport - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.07 Plus - All Closed Issues
24.07 Plus - All Open Issues
24.07 Plus - Feedback Issues
24.07 Plus - Needs Attention/Work
24.07 Plus - New/Confirmed/In Progress Issues
24.07 Plus - Pull Request Review
24.07 Plus - Waiting on Merge
24.07 Target - All Closed Issues
24.07 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #7774

closed

No TCP Reply State Established on GRE in IPsec Transport

Added by Chris Linstruth over 6 years ago. Updated almost 6 years ago.

Status:

Duplicate

Priority:

Normal

Assignee:

Luiz Souza

Category:

IPsec

Target version:

2.4.4

Start date:

08/16/2017

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.3.4_1

Affected Architecture:

Description

Reply state not established in pf for TCP connections through GRE tunnel when IPsec transport mode enabled between the GRE endpoints.

Files

GRE-Issue.png (52.2 KB) GRE-Issue.png

Chris Linstruth, 08/16/2017 01:39 AM

History
Notes
Property changes

Actions

Copy link

Updated by Chris Linstruth over 6 years ago

File GRE-Issue.png GRE-Issue.png added

Disable IPsec Transport on both sides routing over GRE tunnel.

On Host A1:

$ telnet -4 smtp.gmail.com 587
Trying 173.194.202.108...
Connected to gmail-smtp-msa.l.google.com.
Escape character is '^]'.
220 smtp.gmail.com ESMTP z9sm326570pfl.125 - gsmtp

pfSense A
re0 tcp 173.194.202.108:587 <- 172.25.232.227:38800 ESTABLISHED:ESTABLISHED
[1982525214 + 29312] wscale 8 [55123363 + 42497] wscale 7
age 00:00:50, expires in 119:59:10, 3:2 pkts, 164:164 bytes, rule 136
id: 0000000059e51bf7 creatorid: df46ccaa
gre0 tcp 172.25.232.227:38800 -> 173.194.202.108:587 ESTABLISHED:ESTABLISHED
[55123363 + 42497] wscale 7 [1982525214 + 29312] wscale 8
age 00:00:50, expires in 119:59:10, 3:2 pkts, 164:164 bytes, rule 104
id: 0000000059e51bf8 creatorid: df46ccaa

pfSense C
gre0 tcp 173.194.202.108:587 <- 172.25.232.227:38800 ESTABLISHED:ESTABLISHED
[1982525214 + 29312] wscale 8 [55123363 + 42497] wscale 7
age 00:01:25, expires in 23:58:35, 3:2 pkts, 164:164 bytes, rule 86
id: 000000005993d384 creatorid: 2bd5edb5
re1 tcp 172.25.228.232:2233 (172.25.232.227:38800) -> 173.194.202.108:587 ESTABLISHED:ESTABLISHED
[55123363 + 42497] wscale 7 [1982525214 + 29312] wscale 8
age 00:01:25, expires in 23:58:35, 3:2 pkts, 164:164 bytes, rule 77
id: 000000005993d385 creatorid: 2bd5edb5

Skipping ICMP and UDP. They work too.

Enable IPsec Transport on both sides.

pfSense A
con8¹⁸⁹⁴: ESTABLISHED 13 seconds ago, 172.25.228.5[172.25.228.5]...172.25.228.232[172.25.228.232]
con8¹⁸⁹⁴: IKEv2 SPIs: deb82e851e4ff884_i* 6eb81d836ca81f5b_r, pre-shared key reauthentication in 7 hours
con8¹⁸⁹⁴: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
con8{8405}: INSTALLED, TRANSPORT, reqid 657, ESP SPIs: c6721d5c_i c7b5a0c8_o
con8{8405}: AES_CBC_256/HMAC_SHA1_96, 113472 bytes_i (2012 pkts, 0s ago), 214688 bytes_o (2012 pkts, 0s ago), rekeying in 45 minutes
con8{8405}: 172.25.228.5/32|/0 === 172.25.228.232/32|/0

pfSense C
con1⁴: ESTABLISHED 75 seconds ago, 172.25.228.232[172.25.228.232]...172.25.228.5[172.25.228.5]
con1⁴: IKEv2 SPIs: deb82e851e4ff884_i 6eb81d836ca81f5b_r*, pre-shared key reauthentication in 7 hours
con1⁴: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
con1{5}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c7b5a0c8_i c6721d5c_o
con1{5}: AES_CBC_256/HMAC_SHA1_96, 533152 bytes_i (9942 pkts, 1s ago), 1045264 bytes_o (9942 pkts, 1s ago), rekeying in 42 minutes
con1{5}: 172.25.228.232/32|/0 === 172.25.228.5/32|/0

$ ping smtp.gmail.com
PING gmail-smtp-msa.l.google.com (74.125.135.108) 56(84) bytes of data.
64 bytes from pl-in-f108.1e100.net (74.125.135.108): icmp_seq=1 ttl=42 time=38.8 ms
64 bytes from pl-in-f108.1e100.net (74.125.135.108): icmp_seq=2 ttl=42 time=39.0 ms
64 bytes from pl-in-f108.1e100.net (74.125.135.108): icmp_seq=3 ttl=42 time=40.2 ms
64 bytes from pl-in-f108.1e100.net (74.125.135.108): icmp_seq=4 ttl=42 time=57.3 ms

pfSense A
re0 icmp 74.125.135.108:24287 <- 172.25.232.227:24287 0:0
age 00:02:25, expires in 00:00:10, 145:142 pkts, 12180:11928 bytes, rule 136
id: 0000000059e5226b creatorid: a822d69d
gre0 icmp 172.25.232.227:24287 -> 74.125.135.108:24287 0:0
age 00:02:25, expires in 00:00:10, 145:0 pkts, 12180:0 bytes, rule 104
id: 0000000059e5226c creatorid: a822d69d

pfSense C
re1 icmp 172.25.228.232:10941 (172.25.232.227:24287) -> 74.125.135.108:10941 0:0
age 00:02:57, expires in 00:00:10, 178:174 pkts, 14952:14616 bytes, rule 77
id: 000000005993d39d creatorid: 131255b0
gre0 icmp 74.125.135.108:24287 -> 172.25.232.227:24287 0:0
age 00:02:57, expires in 00:00:09, 174:0 pkts, 14616:0 bytes, rule 75
id: 000000005993d39e creatorid: 131255b0

$ dig +short @8.8.8.8 www.google.com
172.217.4.132

pfSense A
re0 udp 8.8.8.8:53 <- 172.25.232.227:43051 SINGLE:MULTIPLE
age 00:00:27, expires in 00:02:03, 1:1 pkts, 71:87 bytes, rule 136
id: 0000000059e526eb creatorid: a822d69d
gre0 udp 172.25.232.227:43051 -> 8.8.8.8:53 SINGLE:NO_TRAFFIC
age 00:00:27, expires in 00:04:33, 1:0 pkts, 71:0 bytes, rule 104
id: 0000000059e526ec creatorid: a822d69d

pfSense C
re1 udp 172.25.228.232:36073 (172.25.232.227:57354) -> 8.8.8.8:53 MULTIPLE:SINGLE
age 00:00:08, expires in 00:00:22, 1:1 pkts, 71:87 bytes, rule 77
id: 000000005993d3ba creatorid: 131255b0
gre0 udp 8.8.8.8:53 -> 172.25.232.227:57354 SINGLE:NO_TRAFFIC
age 00:00:08, expires in 00:00:52, 1:0 pkts, 87:0 bytes, rule 75
id: 000000005993d3bb creatorid: 131255b0

And, finally, the problem...

$ telnet -4 smtp.gmail.com 587
Trying 74.125.28.108...
[no connection]

pfSense A
re0 tcp 74.125.28.108:587 <- 172.25.232.227:58602 CLOSED:SYN_SENT
[0 + 29200] [1044382442 + 1]
age 00:00:31, expires in 00:14:44, 5:0 pkts, 300:0 bytes, rule 136
id: 0000000059e52a5b creatorid: a822d69d
gre0 tcp 172.25.232.227:58602 -> 74.125.28.108:587 SYN_SENT:CLOSED
[1044382442 + 1] [0 + 29200]
age 00:00:31, expires in 00:14:44, 5:0 pkts, 300:0 bytes, rule 104
id: 0000000059e52a5c creatorid: a822d69d

pfSense C
re1 tcp 172.25.228.232:60507 (172.25.232.227:58602) -> 74.125.28.108:587 ESTABLISHED:SYN_SENT
[1044382442 + 42496] wscale 7 [2989914714 + 1305081782] wscale 8
age 00:00:22, expires in 00:00:24, 5:6 pkts, 300:360 bytes, rule 77
id: 000000005993d3c3 creatorid: 131255b0

No state on GRE... Reply traffic gets dropped

Actions

Copy link