NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
GIF over IPSEC
Hey,
I'm having an issue with IPSEC and GIF tunneling. I have an IPSEC (using
racoon) link setup (NetBSD server -> MacBook traveling through a NAT and the
IPv4 public internet), and I am running a GIF tunnel (outer is the IPSEC tunnel
IPs and inner is IPv6).
I can ping stuff over IPv6 from the MacBook just fine, but cannot load any
webpages. On the MacBook, tcpdump shows truncated-ip6 messages. On the server,
tcpdump shows that it is receiving perfectly fine IPv6 packets, so the problem
is definitely with my configuration.
The server's IPv6 connecting comes from tunnelbroker.net, at least for now.
Relevant configuration on the server:
gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 10.11.11.1 --> 10.11.12.1
inet6 2001:470:c5fc:1::1 -> 2001:470:c5fc:1::2 prefixlen 128
inet6 fe80::211:85ff:feb1:adf3%gif1 -> prefixlen 64 scopeid 0x4
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: f2:0b:a4:4e:6d:0b
media: Ethernet autoselect
inet 10.11.11.1 netmask 0xffffff00 broadcast 10.11.11.255
inet6 fe80::f00b:a4ff:fe4e:6d0b%tap0 prefixlen 64 scopeid 0x5
parts of racoon.conf:
remote anonymous {
exchange_mode aggressive;
ike_frag on;
esp_frag 552;
proposal_check claim;
generate_policy on;
nat_traversal force;
dpd_delay 20;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method xauth_psk_server;
dh_group 2;
}
}
mode_cfg {
auth_source system;
accounting system;
pool_size 253;
network4 10.11.12.1;
netmask4 255.255.255.0;
dns4 208.94.242.3;
dns4 208.94.243.3;
split_network include 10.11.11.0/24;
save_passwd on;
}
Relevant configuration on MacBook:
gif0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> mtu 1280
tunnel inet 10.11.12.1 --> 10.11.11.1
inet6 fe80::d69a:20ff:fe00:a04a%gif0 prefixlen 64 scopeid 0x2
inet6 2001:470:c5fc:1::2 --> 2001:470:c5fc:1::1 prefixlen 128
IPSEC is configured through Apple's GUI. I can ping 10.11.11.1 from the MacBook.
tcpdump -vvv output from the server (gif1 on it)
18:17:02.310578 IP6 (hlim 64, next-header: TCP (6), length: 44)
2001:470:c5fc:1::2.51077 > iad04s01-in-x68.1e100.net.http: S, cksum 0xd8ac
(correct), 2733076817:2733076817(0) win 65535 <mss 1220,nop,wscale
1,nop,nop,timestamp 1046507916 0,sackOK,eol>
18:17:02.343453 IP6 (hlim 56, next-header: TCP (6), length: 40)
iad04s01-in-x68.1e100.net.http > 2001:470:c5fc:1::2.51077: S, cksum 0xe614
(correct), 579988886:579988886(0) ack 2733076818 win 5712 <mss
1410,sackOK,timestamp 468697185 1046507916,nop,wscale 6>
18:17:02.602225 IP6 (hlim 64, next-header: TCP (6), length: 32)
2001:470:c5fc:1::2.51077 > iad04s01-in-x68.1e100.net.http: ., cksum 0xa827
(correct), 1:1(0) ack 1 win 33220 <nop,nop,timestamp 1046508190 468697185>
18:17:05.642867 IP6 (hlim 64, next-header: TCP (6), length: 48)
2001:470:c5fc:1::2.51077 > iad04s01-in-x68.1e100.net.http: P, cksum 0xcb9b
(correct), 1:17(16) ack 1 win 33220 <nop,nop,timestamp 1046510971 468697185>
18:17:05.676515 IP6 (hlim 56, next-header: TCP (6), length: 32)
iad04s01-in-x68.1e100.net.http > 2001:470:c5fc:1::2.51077: ., cksum 0x11a0
(correct), 1:1(0) ack 17 win 90 <nop,nop,timestamp 468700518 1046510971>
18:17:05.900807 IP6 (hlim 64, next-header: TCP (6), length: 34)
2001:470:c5fc:1::2.51077 > iad04s01-in-x68.1e100.net.http: P, cksum 0x81b2
(correct), 17:19(2) ack 1 win 33220 <nop,nop,timestamp 1046511338 468700518>
18:17:05.933353 IP6 (hlim 56, next-header: TCP (6), length: 32)
iad04s01-in-x68.1e100.net.http > 2001:470:c5fc:1::2.51077: ., cksum 0x0f2e
(correct), 1:1(0) ack 19 win 90 <nop,nop,timestamp 468700775 1046511338>
18:17:05.954530 IP6 (hlim 56, next-header: TCP (6), length: 1240)
iad04s01-in-x68.1e100.net.http > 2001:470:c5fc:1::2.51077: . 1:1209(1208) ack
19 win 90 <nop,nop,timestamp 468700796 1046511338>
18:17:05.954685 IP6 (hlim 56, next-header: TCP (6), length: 1240)
iad04s01-in-x68.1e100.net.http > 2001:470:c5fc:1::2.51077: . 1209:2417(1208)
ack 19 win 90 <nop,nop,timestamp 468700796 1046511338>
18:17:05.954773 IP6 (hlim 56, next-header: TCP (6), length: 1240)
iad04s01-in-x68.1e100.net.http > 2001:470:c5fc:1::2.51077: . 2417:3625(1208)
ack 19 win 90 <nop,nop,timestamp 468700796 1046511338>
18:17:06.827930 IP6 (hlim 56, next-header: TCP (6), length: 1240)
iad04s01-in-x68.1e100.net.http > 2001:470:c5fc:1::2.51077: . 1:1209(1208) ack
19 win 90 <nop,nop,timestamp 468701669 1046511338>
[...]
tcpdump -vvv from the MacBook (gif0)
18:17:02.415966 IP6 (hlim 64, next-header TCP (6) payload length: 44)
2001:470:c5fc:1::2.51077 > iad04s01-in-x68.1e100.net.http: Flags [S], cksum
0xd8ac (correct), seq 2733076817, win 65535, options [mss 1220,nop,wscale
1,nop,nop,TS val 1046507916 ecr 0,sackOK,eol], length 0
18:17:02.702665 IP6 (hlim 56, next-header TCP (6) payload length: 40)
iad04s01-in-x68.1e100.net.http > 2001:470:c5fc:1::2.51077: Flags [S.], cksum
0xe614 (correct), seq 579988886, ack 2733076818, win 5712, options [mss
1410,sackOK,TS val 468697185 ecr 1046507916,nop,wscale 6], length 0
18:17:02.702726 IP6 (hlim 64, next-header TCP (6) payload length: 32)
2001:470:c5fc:1::2.51077 > iad04s01-in-x68.1e100.net.http: Flags [.], cksum
0xa827 (correct), seq 1, ack 1, win 33220, options [nop,nop,TS val 1046508190
ecr 468697185], length 0
18:17:05.634533 IP6 (hlim 64, next-header TCP (6) payload length: 48)
2001:470:c5fc:1::2.51077 > iad04s01-in-x68.1e100.net.http: Flags [P.], cksum
0xcb9b (correct), seq 1:17, ack 1, win 33220, options [nop,nop,TS val
1046510971 ecr 468697185], length 16
18:17:06.020072 IP6 (hlim 56, next-header TCP (6) payload length: 32)
iad04s01-in-x68.1e100.net.http > 2001:470:c5fc:1::2.51077: Flags [.], cksum
0x11a0 (correct), seq 1, ack 17, win 90, options [nop,nop,TS val 468700518 ecr
1046510971], length 0
18:17:06.020133 IP6 (hlim 64, next-header TCP (6) payload length: 34)
2001:470:c5fc:1::2.51077 > iad04s01-in-x68.1e100.net.http: Flags [P.], cksum
0x81b2 (correct), seq 17:19, ack 1, win 33220, options [nop,nop,TS val
1046511338 ecr 468700518], length 2
18:17:06.292921 IP6 (hlim 56, next-header TCP (6) payload length: 32)
iad04s01-in-x68.1e100.net.http > 2001:470:c5fc:1::2.51077: Flags [.], cksum
0x0f2e (correct), seq 1, ack 19, win 90, options [nop,nop,TS val 468700775 ecr
1046511338], length 0
18:17:06.309981 IP6 truncated-ip6 - 752 bytes missing!(hlim 56, next-header TCP
(6) payload length: 1240) iad04s01-in-x68.1e100.net.http >
2001:470:c5fc:1::2.51077: Flags [.], seq 1:1209, ack 19, win 90, options
[nop,nop,TS val 468700796 ecr 1046511338], length 1208
18:17:06.311220 IP6 truncated-ip6 - 15212 bytes missing!(class 0x97, flowlabel
0x26573, hlim 117, next-header unknown (104) payload length: 15700)
2c20:3130:2d4d:6179:2d32:3031:3220:3233 >
3a31:373a:3035:2047:4d54:3b20:7061:7468: ip-proto-104 15700
18:17:06.312254 IP6 truncated-ip6 - 28335 bytes missing!(class 0x53, flowlabel
0xe476f, hlim 101, next-header Compressed IP (108) payload length: 28519)
3c2f:7469:746c:653e:3c73:6372:6970:743e >
7769:6e64:6f77:2e67:6f6f:676c:653d:7b6b: IPComp(cpi=0x3a22)
18:17:06.313530 IP6 truncated-ip6 - 752 bytes missing!(hlim 56, next-header TCP
(6) payload length: 1240) iad04s01-in-x68.1e100.net.http >
2001:470:c5fc:1::2.51077: Flags [.], seq 1209:2417, ack 19, win 90, options
[nop,nop,TS val 468700796 ecr 1046511338], length 1208
18:17:06.315217 IP6 truncated-ip6 - 10067 bytes missing!(class 0x54, flowlabel
0x92865, hlim 97, next-header unknown (118) payload length: 10555)
7220:693d:637c:7c22:2f67:656e:5f32:3034 >
3f61:7479:703d:6926:6374:3d22:2b61:2b22: ip-proto-118 10555
18:17:06.316264 IP6 truncated-ip6 - 25267 bytes missing!(class 0x27, flowlabel
0x45469, hlim 34, next-header unknown (40) payload length: 25451)
6c6f:6164:222c:7472:7565:293b:7472:797b >
7d63:6174:6368:2876:297b:7d0a:7661:7220: ip-proto-40 25451
[...]
Thanks,
Martin Brandenburg
Home |
Main Index |
Thread Index |
Old Index