Dear Community,
I have been using security/openfortivpn to connect to my company's corporate network for more than half a year now, and never had a problem with it. However, after a complete upgrade from 13.2 to 14.0, the traffic through the tun0 interface created by openfortivpn stopped passing.
So, I fired up a VM with 13.2 and another one with 14.0, and checked on those as well - the problem seems to be real, but I decided to ask here first as there is still a possibility that I am doing something wrong.
My config is fairly simple. I only set the host, the port, the username, the trusted-cert and set-dns = 0.
It seems to work as far as connecting goes - on both versions, connection is successful, routes are added, the tun0 interface comes up.
(xxx.xxx.xxx.xxx is obviously my corporate gateway IP)
13.2:
14.0:
However, when I try to reach the network, like execute a simple ping, there is a big difference between the two:
13.2:
14.0:
I even tried to turn on the debug.if_tun_debug sysctl kernel flag to see what is going on inside the tun driver while executing the ping.
13.2:
14.0:
As can be seen, the tunwrite is not called in the latter case, so the driver perceives the packet as being sent without getting a reply. However, the scenario is the same here, the network, the gateway, the configuration - the only difference is the FreeBSD version. I also checked a Linux machine with openssl-3.0 to see if the updated openssl was the problem, but the Linux setup worked fine as well.
Finally, I checked the network interface where the tunnelled packet is supposed to go out, and in case of 13.2, I can see the packets going out (and the replies coming back) while in case of 14.0, there is nothing going in or out.
I am really out of ideas about what to check here, but it seems that there is some issue within the kernel between the tun and the network interfaces.
Could somebody, please, give me a hand?
Many thanks in advance!
I have been using security/openfortivpn to connect to my company's corporate network for more than half a year now, and never had a problem with it. However, after a complete upgrade from 13.2 to 14.0, the traffic through the tun0 interface created by openfortivpn stopped passing.
So, I fired up a VM with 13.2 and another one with 14.0, and checked on those as well - the problem seems to be real, but I decided to ask here first as there is still a possibility that I am doing something wrong.
My config is fairly simple. I only set the host, the port, the username, the trusted-cert and set-dns = 0.
It seems to work as far as connecting goes - on both versions, connection is successful, routes are added, the tun0 interface comes up.
(xxx.xxx.xxx.xxx is obviously my corporate gateway IP)
13.2:
Code:
$ ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet 10.12.1.130 --> xxx.xxx.xxx.xxx netmask 0xffffffff
groups: tun
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 691
14.0:
Code:
$ ifconfig tun0
tun0: flags=1008051<UP,POINTOPOINT,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=80000<LINKSTATE>
inet 10.12.1.130 --> xxx.xxx.xxx.xxx netmask 0xffffffff
groups: tun
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 1896
However, when I try to reach the network, like execute a simple ping, there is a big difference between the two:
13.2:
Code:
$ sudo tcpdump -i tun0
Password:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 262144 bytes
09:49:56.086938 IP 10.12.1.130 > 10.12.14.1: ICMP echo request, id 26627, seq 20, length 64
09:49:56.090581 IP 10.12.1.130.44214 > 10.12.14.1.domain: 23899+ PTR? 130.1.12.10.in-addr.arpa. (42)
09:49:56.099329 IP 10.12.14.1 > 10.12.1.130: ICMP echo reply, id 26627, seq 20, length 64
09:49:56.102204 IP 10.12.14.1.domain > 10.12.1.130.44214: 23899 NXDomain* 0/1/0 (92)
09:49:56.102933 IP 10.12.1.130.41163 > 10.12.14.1.domain: 44969+ PTR? 1.14.12.10.in-addr.arpa. (41)
09:49:56.113332 IP 10.12.14.1.domain > 10.12.1.130.41163: 44969 NXDomain* 0/1/0 (91)
09:49:57.128101 IP 10.12.1.130 > 10.12.14.1: ICMP echo request, id 26627, seq 21, length 64
09:49:57.140184 IP 10.12.14.1 > 10.12.1.130: ICMP echo reply, id 26627, seq 21, length 64
09:49:58.167455 IP 10.12.1.130 > 10.12.14.1: ICMP echo request, id 26627, seq 22, length 64
09:49:58.177998 IP 10.12.14.1 > 10.12.1.130: ICMP echo reply, id 26627, seq 22, length 64
09:49:59.217471 IP 10.12.1.130 > 10.12.14.1: ICMP echo request, id 26627, seq 23, length 64
09:49:59.229943 IP 10.12.14.1 > 10.12.1.130: ICMP echo reply, id 26627, seq 23, length 64
14.0:
Code:
$ sudo tcpdump -i tun0
Password:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type NULL (BSD loopback), snapshot length 262144 bytes
08:44:17.336355 IP 10.12.1.130 > 10.12.14.1: ICMP echo request, id 60167, seq 8, length 64
08:44:18.342343 IP 10.12.1.130 > 10.12.14.1: ICMP echo request, id 60167, seq 9, length 64
08:44:19.378614 IP 10.12.1.130 > 10.12.14.1: ICMP echo request, id 60167, seq 10, length 64
08:44:20.380962 IP 10.12.1.130 > 10.12.14.1: ICMP echo request, id 60167, seq 11, length 64
08:44:21.388591 IP 10.12.1.130 > 10.12.14.1: ICMP echo request, id 60167, seq 12, length 64
08:44:22.450852 IP 10.12.1.130 > 10.12.14.1: ICMP echo request, id 60167, seq 13, length 64
08:44:23.474984 IP 10.12.1.130 > 10.12.14.1: ICMP echo request, id 60167, seq 14, length 64
08:44:24.532355 IP 10.12.1.130 > 10.12.14.1: ICMP echo request, id 60167, seq 15, length 64
08:44:25.547038 IP 10.12.1.130 > 10.12.14.1: ICMP echo request, id 60167, seq 16, length 64
08:44:26.564679 IP 10.12.1.130 > 10.12.14.1: ICMP echo request, id 60167, seq 17, length 64
08:44:27.625610 IP 10.12.1.130 > 10.12.14.1: ICMP echo request, id 60167, seq 18, length 64
08:44:28.644863 IP 10.12.1.130 > 10.12.14.1: ICMP echo request, id 60167, seq 19, length 64
I even tried to turn on the debug.if_tun_debug sysctl kernel flag to see what is going on inside the tun driver while executing the ping.
13.2:
Code:
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunwrite
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunoutput
tun0: starting
tun0: tunpoll
tun0: tunpoll q=1
tun0: read
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunwrite
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunoutput
tun0: starting
tun0: tunpoll
tun0: tunpoll q=1
tun0: read
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunwrite
tun0: tunpoll
tun0: tunpoll waiting
14.0:
Code:
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunoutput
tun0: starting
tun0: tunpoll
tun0: tunpoll q=1
tun0: read
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunoutput
tun0: starting
tun0: tunpoll
tun0: tunpoll q=1
tun0: read
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
tun0: tunpoll
tun0: tunpoll waiting
As can be seen, the tunwrite is not called in the latter case, so the driver perceives the packet as being sent without getting a reply. However, the scenario is the same here, the network, the gateway, the configuration - the only difference is the FreeBSD version. I also checked a Linux machine with openssl-3.0 to see if the updated openssl was the problem, but the Linux setup worked fine as well.
Finally, I checked the network interface where the tunnelled packet is supposed to go out, and in case of 13.2, I can see the packets going out (and the replies coming back) while in case of 14.0, there is nothing going in or out.
I am really out of ideas about what to check here, but it seems that there is some issue within the kernel between the tun and the network interfaces.
Could somebody, please, give me a hand?
Many thanks in advance!