Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides
Register
FAQ
It is currently Fri Dec 01, 2023 1:26 am

ROOT ‹ FreeBSD, Linux and AIX ‹ TCP/IP Networking ‹ FreeBSD net.inet.ip.fastforwarding breaks IPSEC tunnels

Internet Protocol, Transport Control Protocol, Network protocols, Routing, Routers, IP aliases, Routes, Ethernet

Post a reply

FreeBSD net.inet.ip.fastforwarding breaks IPSEC tunnels

« Previous topic | Next topic »
Author Message
mandrei99
  Post  Post subject: FreeBSD net.inet.ip.fastforwarding breaks IPSEC tunnels  |  Posted: Tue Jan 07, 2014 6:06 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 250

Offline
 

FreeBSD net.inet.ip.fastforwarding breaks IPSEC tunnels

This is a known design limitation. While the fastforwarding feature brings latency and throughput improvement and it supports most of the normal (slow) IP forwarding path, it does not support IPSEC brokering. See "man 4 inet". Quote: "
Quote:
IPCTL_FASTFORWARDING (ip.fastforwarding) Boolean: enable/disable the use
of fast IP forwarding code. Defaults to off. When
fast IP forwarding is enabled, IP packets are for-
warded directly to the appropriate network inter-
face with direct processing to completion, which
greatly improves the throughput. All packets for
local IP addresses, non-unicast, or with IP options
are handled by the normal IP input processing path.
All features of the normal (slow) IP forwarding
path are supported including firewall (through
pfil(9) hooks) checking, except ipsec(4) tunnel
brokering. The IP fastforwarding path does not
generate ICMP redirect or source quench messages.


In the following scenario where an IPSEC tunnel ending on FreeBSD router, packets will be routed back to the interface towards the default gateway, instead of being routed through the tunnel:

Internet ---- em0 FreeBSD
IPSEC tun ---- enc0 FreeBSD (enc0 is pseudo interface for Ipsec tunnel traffic).

a packet ariving on em0 interface destined for a host behind the tunnel will be routed back to em0 to default gateway.





Top
mandrei99
  Post  Post subject: Re: FreeBSD net.inet.ip.fastforwarding breaks IPSEC tunnels  |  Posted: Tue Jan 07, 2014 6:13 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 250

Offline
IMPORTANT !!! If the default gateway is a basic router without RPF check or anything besides a firewall that drops fast routed packets, this will most probably create a layer 3 (ip) loop: FreeBSD fast forwards packets (internet sourced, ipsec tunnel destined) back to default router instead of IPSEC tunnel and the default router will send them back to the FreeBSD gateway. Depending on the amount of traffic destined for the tunnel, this can impact the network performance.


Top
Display posts from previous:  Sort by  
 E-mail friendPrint view
Post a reply

Topics related to - "FreeBSD net.inet.ip.fastforwarding breaks IPSEC tunnels"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. FreeBSD PF supported icmp types

admin

0

3217

Fri Jan 28, 2011 9:15 am

admin View the latest post

There are no new unread posts for this topic. FreeBSD - multiple routing tables

mandrei99

0

10463

Wed Aug 28, 2013 8:40 am

mandrei99 View the latest post

There are no new unread posts for this topic. FreeBSD: How to list IPv6 neighbors

mandrei99

0

6066

Mon Oct 06, 2014 10:00 am

mandrei99 View the latest post

There are no new unread posts for this topic. FreeBSD show network interface statistics

mandrei99

0

5688

Wed Sep 25, 2013 9:30 am

mandrei99 View the latest post

There are no new unread posts for this topic. Set up FTP PROXY via command line in Linux/FreeBSD

mandrei99

0

22856

Tue Jan 20, 2015 5:01 pm

mandrei99 View the latest post

There are no new unread posts for this topic. FreeBSD tcpdump on enc0 doesn't show any traffic

mandrei99

0

3760

Fri Jun 21, 2013 8:54 am

mandrei99 View the latest post

There are no new unread posts for this topic. FreeBSD - Adding VLAN Tagged subinterface using ifconfig

admin

0

11132

Mon Aug 19, 2013 10:44 am

admin View the latest post

There are no new unread posts for this topic. FreeBSD list interface multicast group membership

mandrei99

0

4655

Tue Dec 03, 2013 9:02 am

mandrei99 View the latest post

There are no new unread posts for this topic. How to accept IPv6 Router Advertisements on interface in FreeBSD

mandrei99

0

3806

Wed Apr 29, 2015 3:54 am

mandrei99 View the latest post

There are no new unread posts for this topic. FreeBSD list the outgoing interface for packets to a specific IP destination

mandrei99

0

2946

Mon Jul 22, 2013 10:12 am

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
cronNews News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


ROOT ‹ FreeBSD, Linux and AIX ‹ TCP/IP Networking
Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO