From owner-freebsd-net@FreeBSD.ORG Tue May 27 20:45:07 2008 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D1DE1065673 for ; Tue, 27 May 2008 20:45:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 1A5038FC1D for ; Tue, 27 May 2008 20:45:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 1D45341C75C; Tue, 27 May 2008 22:45:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id UPHwruw7DFqG; Tue, 27 May 2008 22:45:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id BE54241C75B; Tue, 27 May 2008 22:45:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id EC6E744487F; Tue, 27 May 2008 20:43:31 +0000 (UTC) Date: Tue, 27 May 2008 20:43:31 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Tom Judge In-Reply-To: <483C70A9.2060500@tomjudge.com> Message-ID: <20080527204111.F65662@maildrop.int.zabbadoz.net> References: <483C51EE.7040700@tomjudge.com> <20080527201331.L65662@maildrop.int.zabbadoz.net> <483C70A9.2060500@tomjudge.com> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: net@FreeBSD.org Subject: Re: ICMP Error transmission/response over IPSec tunnels X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2008 20:45:07 -0000 On Tue, 27 May 2008, Tom Judge wrote: Hi, > Yes we do indeed see a reply from node b. It is good to here that this is a > known issue. > > The IPSec configuration is a gif ipip tunnel that is then encrypted with > IPSec using esp in tunnel mode as per the ipsec vpn section in the handbook. 1) if you do not need the ipip tunnel because you need an interface and "link state changes" only go with the IPsec tunnel mode. 2) If you need the gi tunnel on top and routing, use IPsec transport mode. (ignore the handbook, try to understand it;) > Do you have any more information on the underlying source of the problem? If > so it would help me find the problem. I may setup a small test network to > find this problem this evening time permitting. a test network is not a problem. time is. > PS. Could you pm me a link to your RELENG_7 multi ip jail patchs? check the latest status report at... for the link: http://www.freebsd.org/news/status/report-2008-01-2008-03.html#Multi-IPv4/v6/no-IP-jails -- Bjoern A. Zeeb Stop bit received. Insert coin for new game.