freebsd stable - Mar 2019 - ipsec/gif(4) tunnel not working: traffic not appearing on the gif(4) interface after deciphering

Hello,


I have a FreeBSD 11.1 box with 2 public IPs that has two tunnels to 
another FreeBSD box with 1 public IP. One of these tunnels is working, 
the other isn't. Long story short: I have some experience in ipsec 
tunnels setup. and I supposed that have configured everything properly, 
and to illustrate this I've loaded if_enc(4) on the 11.1 and it does 
show the traffic for the second gif:


Here I ping the targed troublesome host (2 public IPs) from the remote 
(1 public IP) and the tcpdump is launched on the receiver:

===Cut==
# tcpdump -npi enc0 host 83.222.68.177
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 
262144 bytes

12:00:58.218256 (authentic): SPI 0x0c00b77c: IP 188.17.155.29 > 
83.222.68.177: ESP(spi=0x0ffc906c,seq=0x14c), length 132
12:00:58.218271 (authentic,confidential): SPI 0x0ffc906c: IP 
188.17.155.29 > 83.222.68.177: IP 172.16.0.68 > 172.16.0.67: ICMP echo 
request, id 24591, seq 121, length 64 (ipip-proto-4)
12:00:59.232761 (authentic): SPI 0x0c00b77c: IP 188.17.155.29 > 
83.222.68.177: ESP(spi=0x0ffc906c,seq=0x14d), length 132
12:00:59.232773 (authentic,confidential): SPI 0x0ffc906c: IP 
188.17.155.29 > 83.222.68.177: IP 172.16.0.68 > 172.16.0.67: ICMP echo 
request, id 24591, seq 122, length 64 (ipip-proto-4)
^C
12 packets captured
574 packets received by filter
0 packets dropped by kernel

===Cut==
 From this output I conclude that the IPSec is working, since kernel is 
able to decipher the packets. But for some mysterious reason this 
traffic isn't showing on the gif(4) (of course I have allowed all the 
traffic on the enc(4) itself), tcpdump shows nothing. If pinging in the 
opposite direction, tcpdump shows outgoing packets, enc(4) shows both 
(remote replies successfully), but once again, there's no incoming 
packets on the gif(4). There would be a simple answer if I would just 
misconfigure adressing on the gif(4), but I see no errors:


===Cut==
# ifconfig gif3
gif3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
 ??????? description: idk2 <---> alamics
 ??????? options=80000<LINKSTATE>
 ??????? tunnel inet 83.222.68.177 --> 188.17.155.29
 ??????? inet 172.16.0.67 --> 172.16.0.68? netmask 0xffffffff
 ??????? nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
 ??????? groups: gif

===Cut==
Since I don't have identical tunnel IP pairs I don't need 
net.link.gif.parallel_tunnels (right ?),? so my final guess - either 
there's something around having two tunnels to the same destination or 
some bug in 11.1.


Any ideas ?


Eugene.

26.03.2019 14:26, Eugene M. Zheganin wrote:
> I have a FreeBSD 11.1 box with 2 public IPs that has two tunnels to another
FreeBSD box with 1 public IP. One of these tunnels is working, the other
isn't. Long story short: I have some experience in ipsec tunnels setup. and
I supposed that have configured everything properly, and to illustrate this
I've loaded if_enc(4) on the 11.1 and it does show the traffic for the
second gif:
[skip]
> Any ideas ?
Always add "link2" to ifconfig_gifX configuration in such cases:

ifconfig_gif0="inet 192.168.254.25 192.168.254.26 netmask 255.255.255.252
mtu 1500 link2"

Refer to gif(4) manual page for details, look for IFF_LINK2 description.