Date: Tue, 27 May 2008 16:08:40 -0500 From: Tom Judge <tom@tomjudge.com> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: net@FreeBSD.org Subject: Re: ICMP Error transmission/response over IPSec tunnels Message-ID: <483C7858.5000302@tomjudge.com> In-Reply-To: <20080527204111.F65662@maildrop.int.zabbadoz.net> References: <483C51EE.7040700@tomjudge.com> <20080527201331.L65662@maildrop.int.zabbadoz.net> <483C70A9.2060500@tomjudge.com> <20080527204111.F65662@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Bjoern A. Zeeb wrote: > On Tue, 27 May 2008, Tom Judge wrote: > > Hi, > >> Yes we do indeed see a reply from node b. It is good to here that >> this is a known issue. >> >> The IPSec configuration is a gif ipip tunnel that is then encrypted >> with IPSec using esp in tunnel mode as per the ipsec vpn section in >> the handbook. > > 1) if you do not need the ipip tunnel because you need an interface > and "link state changes" only go with the IPsec tunnel mode. > > 2) If you need the gi tunnel on top and routing, use IPsec transport > mode. > > (ignore the handbook, try to understand it;) I have 13 nodes in a parital mesh running ospf for routing. It would not be trivial for me to switch from tunnel to transport mode. Also I have not tested quagga in when the ipsec is in transport mode, and I guess I do need interfaces to use with quagga. I may test fixing this additional overhead, but as they say if it's not broken don't fix it. > >> Do you have any more information on the underlying source of the >> problem? If so it would help me find the problem. I may setup a >> small test network to find this problem this evening time permitting. > > a test network is not a problem. time is. > > Please understand that I was not asking for you to fix this problem just for some pointers into where to start looking. The reason I ask is that you seem to know in what region that the error exists and it would be helpful to me if you could tell me so that I could try to find a solution to the problem myself. At a guess the code that I need to look as it in icmp_error() or further down the icmp transmit path (maybe icmp_reflect or further?). Thanks again. Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?483C7858.5000302>