>Number: 161058 >Category: kern >Synopsis: enc0 not capturing outgoing IPSEC encrypted transport IPv6 >traffic from host >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Sep 27 04:00:16 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Matthew Grant >Release: 8.2-p2 >Organization: Net24 Ltd >Environment: FreeBSD dns-slave0.devel.net.nz 8.2-RELEASE-p2 FreeBSD 8.2-RELEASE-p2 #3: Mon Sep 26 09:23:45 NZDT 2011 [email protected]:/usr/obj/usr/src/sys/IPSEC amd64
>Description: Outgoing IPv6 host traffic that is to be encrypted is not being captured by the enc0 device. IPFW only sees it as esp. tcpdump cannot see it either. This is after trying all combinations of the sysctl flags. /etc/sysctl.conf: # Set up IPSEC filtering net.enc.out.ipsec_bpf_mask=0x00000003 net.enc.out.ipsec_filter_mask=0x00000003 net.enc.in.ipsec_bpf_mask=0x00000001 net.enc.in.ipsec_filter_mask=0x00000001 net.inet.ipsec.ecn=1 net.inet.ipsec.filtertunnel=0 net.inet.ip.fw.one_pass=0 This has been tried with IPv6 directly on em0, and over an IPv6 sit6 gif tunnel. It would be good to get this fixed, as we would like to deploy FreeBSD servers with IPSEC IPv6 encrypted networking. This is critical for securing the contents of the SPD, as it can supply state-full-ness when combined with IPSEC matching ipfw or pf properties. >How-To-Repeat: It would be good to get this fixed, as we would like to deploy FreeBSD servers with IPSEC IPv6 encrypted networking. This is critical for securing the contents of the SPD, as it can supply state-full-ness when combined with IPSEC matching ipfw or pf properties. ifconfig enc0 up. Make sure net.enc.out/in are set to default or as: net.enc.out.ipsec_bpf_mask=0x00000003 net.enc.out.ipsec_filter_mask=0x00000003 net.enc.in.ipsec_bpf_mask=0x00000001 net.enc.in.ipsec_filter_mask=0x00000001 Incoming IPv6 traffic will be observed, and none of the outgoing traffic from the host. In the Ipv4 equivalent, outgoing traffic will be observed and in ipfw will show up as coming from the enc0 device. Incoming IPv6 traffic will be matched in ipfw on rules with the 'ipsec' property set. >Fix: >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "[email protected]"
