Hello,
I have a FreeBSD 11.1 box with 2 public IPs that has two tunnels to
another FreeBSD box with 1 public IP. One of these tunnels is working,
the other isn't. Long story short: I have some experience in ipsec
tunnels setup. and I supposed that have configured everything properly,
and to illustrate this I've loaded if_enc(4) on the 11.1 and it does
show the traffic for the second gif:
Here I ping the targed troublesome host (2 public IPs) from the remote
(1 public IP) and the tcpdump is launched on the receiver:
===Cut===
# tcpdump -npi enc0 host 83.222.68.177
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size
262144 bytes
12:00:58.218256 (authentic): SPI 0x0c00b77c: IP 188.17.155.29 >
83.222.68.177: ESP(spi=0x0ffc906c,seq=0x14c), length 132
12:00:58.218271 (authentic,confidential): SPI 0x0ffc906c: IP
188.17.155.29 > 83.222.68.177: IP 172.16.0.68 > 172.16.0.67: ICMP echo
request, id 24591, seq 121, length 64 (ipip-proto-4)
12:00:59.232761 (authentic): SPI 0x0c00b77c: IP 188.17.155.29 >
83.222.68.177: ESP(spi=0x0ffc906c,seq=0x14d), length 132
12:00:59.232773 (authentic,confidential): SPI 0x0ffc906c: IP
188.17.155.29 > 83.222.68.177: IP 172.16.0.68 > 172.16.0.67: ICMP echo
request, id 24591, seq 122, length 64 (ipip-proto-4)
^C
12 packets captured
574 packets received by filter
0 packets dropped by kernel
===Cut===
From this output I conclude that the IPSec is working, since kernel is
able to decipher the packets. But for some mysterious reason this
traffic isn't showing on the gif(4) (of course I have allowed all the
traffic on the enc(4) itself), tcpdump shows nothing. If pinging in the
opposite direction, tcpdump shows outgoing packets, enc(4) shows both
(remote replies successfully), but once again, there's no incoming
packets on the gif(4). There would be a simple answer if I would just
misconfigure adressing on the gif(4), but I see no errors:
===Cut===
# ifconfig gif3
gif3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
description: idk2 <---> alamics
options=80000<LINKSTATE>
tunnel inet 83.222.68.177 --> 188.17.155.29
inet 172.16.0.67 --> 172.16.0.68 netmask 0xffffffff
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
groups: gif
===Cut===
Since I don't have identical tunnel IP pairs I don't need
net.link.gif.parallel_tunnels (right ?), so my final guess - either
there's something around having two tunnels to the same destination or
some bug in 11.1.
Any ideas ?
Eugene.
_______________________________________________
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
