From alex323@gmail.com Tue Jun 15 23:10:05 2010 Return-Path: Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9232E1065670 for ; Tue, 15 Jun 2010 23:10:05 +0000 (UTC) (envelope-from alex323@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 484A18FC14 for ; Tue, 15 Jun 2010 23:10:04 +0000 (UTC) Received: by vws20 with SMTP id 20so7564543vws.13 for ; Tue, 15 Jun 2010 16:10:04 -0700 (PDT) Received: by 10.220.126.129 with SMTP id c1mr4367890vcs.167.1276643404280; Tue, 15 Jun 2010 16:10:04 -0700 (PDT) Received: from localhost (ool-44c14b8e.dyn.optonline.net [68.193.75.142]) by mx.google.com with ESMTPS id b32sm3053781vcm.1.2010.06.15.16.10.02 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 15 Jun 2010 16:10:03 -0700 (PDT) Message-Id: <20100615191001.7c2b8ebf@gmail.com> Date: Tue, 15 Jun 2010 19:10:01 -0400 From: Alex To: FreeBSD-gnats-submit@freebsd.org Subject: IPv6-in-IPv4 does not work inside an ESP-only IPsec tunnel >Number: 147894 >Category: kern >Synopsis: [ipsec] IPv6-in-IPv4 does not work inside an ESP-only IPsec tunnel >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-net >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jun 15 23:20:00 UTC 2010 >Closed-Date: >Last-Modified: Sun Jul 18 15:42:45 UTC 2010 >Originator: Alex >Release: FreeBSD 8.1-PRERELEASE amd64 >Organization: >Environment: System: FreeBSD orion 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #4: Sun Jun 13 20:18:56 EDT 2010 alex@orion:/usr/obj/usr/src/sys/ORION amd64 >Description: I have my gif interface set-up as follows: gif0: flags=8051 metric 0 mtu 1280 tunnel inet a.a.a.a --> b.b.b.b inet6 ::c prefixlen 64 ...and the opposite on the other end. The IPsec mode is tunnel, and one computer is behind NAT (the packets are all forwarded properly). Moreover, AH is not enabled... just ESP. The configuration I have just described works correctly when the internal addresses are IPv4. However when they are IPv6, the actual packets I try to send do not get sent. More specifically, no outgoing ESP packets appear in wireshark at all. Again to reiterate: This exact same setup works when the internal tunnel addresses are IPv4. I do not feel that the problem is racoon2, because the keys are successfully negotiated, as shown below: local-ipv4-address remote-ipv4-address esp mode=tunnel spi=256424725(0x0f48bb15) reqid=0(0x00000000) E: rijndael-cbc 43932af0 a2ebdf0e 9ed8eb89 3b4f9725 3f1874d3 87a7afad cbcc7e3f dc028a40 A: hmac-sha2-512 38645b32 3deafb39 45b01b66 58015299 a730a96a f5fac1c2 ae87348d 2fe3c181 b22a4b80 a6ccdbc0 b3ae5125 cb5e4849 19e51766 21d0c773 343c6a64 52058686 seq=0x00000000 replay=64 flags=0x00000000 state=mature created: Jun 15 19:00:32 2010 current: Jun 15 19:02:08 2010 diff: 96(s) hard: 14400(s) soft: 12814(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=34759 refcnt=2 remote-ipv4-address local-ipv4-address esp mode=tunnel spi=23667040(0x01692160) reqid=0(0x00000000) E: rijndael-cbc 902fb88f fd628086 a914db5e 594cad58 3bad517a 9153b5ee 1e57c579 f8bff311 A: hmac-sha2-512 587cb5ff 6caf0da4 bbb2ecad 056fb008 c362fc69 70be67b2 29a484a9 4df8e5c9 7cb52ac6 c37fc674 8d896722 b1e7ee6b d6c0ef7b 2a815807 7bb394ae 1ba4b294 seq=0x00000000 replay=64 flags=0x00000000 state=mature created: Jun 15 19:00:32 2010 current: Jun 15 19:02:08 2010 diff: 96(s) hard: 14400(s) soft: 11544(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=34759 refcnt=1 IPSEC_NAT_T is enabled in both kernels. >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: From: Alex To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/147894: IPv6-in-IPv4 does not work inside an ESP-only IPsec tunnel Date: Fri, 18 Jun 2010 20:34:33 -0400 The following error is printed when net.inet6.ipsec6.debug is set to 1: Jun 18 20:19:23 orion kernel: ipsec6_output_tunnel: family mismatched between inner and outer, spi=156253021 Jun 18 20:19:23 orion kernel: [ip6_output:549] (ipsec): error code 47 The relevant lines of code are: --- ipsec_output.c begins here --- if (isr->sav->sah->saidx.src.sa.sa_family != AF_INET6) { ipseclog((LOG_ERR, "%s: family mismatched between " "inner and outer, spi=%u\n", __func__, ntohl(isr->sav->spi))); V_ipsec6stat.ips_out_inval++; error = EAFNOSUPPORT; goto bad; } --- ipsec_output.c ends here --- I will be looking further in to this. Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: linimon Responsible-Changed-When: Sun Jul 18 15:42:23 UTC 2010 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=147894 >Unformatted: