Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 9 Sep 2002 16:07:07 +0200
From:      Stefan `Sec` Zehl <sec@42.org>
To:        freebsd-questions@freebsd.org, snap-users@kame.net
Cc:        nick@schoko.org
Subject:   IPSec and IPv6 tunnel => icmp missing problem
Message-ID:  <20020909140707.GA18053@matrix.42.org>
next in thread | raw e-mail | index | archive | help 
Hi,

A friend of mine has a machine(FreeBSD-4.6-STABLE with no patches) which
is the endpoint of an IPSec tunnel, and at the same time endpoint of an
IPv6 (gif) tunnel. The IPv6 tunnel is coming in via the encrypted IPSec
link.

Now, if I traceroute to that machine, I only get '*'.

The routing is correct - telnet, ping6 work fine, and route get shows
the correct interface.

While debugging, i noticed the following: 
in netstat -s -p icmp6, the following counters increase on reception of
an traceroute packet:

| 459 calls to icmp_error
| 320 errors not generated because old message was icmp error or so
| Histogram of error messages to be generated:
|           504 port unreachable

while on another machine with ipv6 not coming in via an IPSec tunnel the
following counters increase:

| 147 calls to icmp_error
| Output histogram:
| 	   unreach: 56
| Histogram of error messages to be generated:
| 	   37 port unreachable

While looking through /usr/src/sys/netinet6/icmp6.c I noticed the
following block (around line 256):

| #ifdef M_DECRYPTED  /*not openbsd*/
|     if (m->m_flags & M_DECRYPTED) {
|         icmp6stat.icp6s_canterror++;
|         goto freeit;
|     }
| #endif

which looks like it is the cause of that effect.

Before I go and remove that block, can anyone tell me why it is there?
The comment (not openbsd) lets me whonder why it was put there in the
first place?

CU,
    Sec

P.S.: This all is a recent FreeBSD-4.6-STABLE:

FreeBSD yori.schoko.org 4.6-STABLE FreeBSD 4.6-STABLE #0: Sat Aug 10 14:16:27 CEST 2002     root@yori.schoko.org:/usr/src/sys/compile/SCHOKO i386
-- 
I really don't want to have to deal with the OpenSSH folks over at
openbsd.org.  They bite. :)                       - Jordan Hubbard

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020909140707.GA18053>