From owner-freebsd-net@FreeBSD.ORG Fri Nov 14 18:37:03 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F4A31065673; Fri, 14 Nov 2008 18:37:03 +0000 (UTC) (envelope-from sclark46@earthlink.net) Received: from elasmtp-dupuy.atl.sa.earthlink.net (elasmtp-dupuy.atl.sa.earthlink.net [209.86.89.62]) by mx1.freebsd.org (Postfix) with ESMTP id F0ACA8FC16; Fri, 14 Nov 2008 18:37:02 +0000 (UTC) (envelope-from sclark46@earthlink.net) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=f1MKOuXTBLm+ZKI7xMLkhZ10seC+RYKdxOVJkCpaYoxJLOW3Ai8tP69kgyKR8U5R; h=Received:Message-ID:Date:From:Reply-To:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [208.118.36.229] (helo=joker.seclark.com) by elasmtp-dupuy.atl.sa.earthlink.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.67) (envelope-from ) id 1L13XP-0006Rw-OF; Fri, 14 Nov 2008 13:36:59 -0500 Message-ID: <491DC54A.1090907@earthlink.net> Date: Fri, 14 Nov 2008 13:36:58 -0500 From: Stephen Clark User-Agent: Thunderbird 2.0.0.16 (X11/20080723) MIME-Version: 1.0 To: Julian Elischer References: <491B2703.4080707@earthlink.net> <491B31F7.30200@elischer.org> <491B4345.80106@earthlink.net> <491B47D2.6010804@elischer.org> <491C2235.4090509@earthlink.net> <1226589468.1976.12.camel@wombat.2hip.net> <491C4EC2.2000802@earthlink.net> <491D6CED.50006@earthlink.net> <491DC28E.80804@elischer.org> In-Reply-To: <491DC28E.80804@elischer.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-ELNK-Trace: a437fbc6971e80f61aa676d7e74259b7b3291a7d08dfec7902bd0cf6eff9e584ec18d5e033017cb2350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 208.118.36.229 Cc: freebsd-net@freebsd.org, FreeBSD Stable , Robert Noland Subject: Re: FreeBSD 6.3 gre and traceroute X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: sclark46@earthlink.net List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2008 18:37:03 -0000 Julian Elischer wrote: > Stephen Clark wrote: >> Stephen Clark wrote: > >>>>>> >>>>>> 10.0.129.1 FreeBSD workstation >>>>>> ^ >>>>>> | >>>>>> | ethernet >>>>>> | >>>>>> v >>>>>> 10.0.128.1 Freebsd FW "A" >>>>>> ^ >>>>>> | >>>>>> | gre / ipsec >>>>>> | >>>>>> v >>>>>> 192.168.3.1 FreeBSD FW "B" >>>>>> ^ >>>>>> | >>>>>> | ethernet >>>>>> | >>>>>> v >>>>>> 192.168.3.86 linux workstation >>>>>> > >>> Also just using gre's without the underlying ipsec tunnels seems to >>> work properly. > > > This is the crux of the matter. > IPSEC happens INSIDE the IP stack. The IP stack is responsible for > the ICMP generation so it is much more likely that there is an > interaction there. > > Now is there an IPSEC rule to make sure that the ICMP packet can get > back? It could b ehtat in teh IP stack there is some confusion as to > whether the return packet should be encrypted or not and it might get > dropped. > > the code involved is in /sys/netinet and /sys/netipsec but you'll > probably regret looking in there ;-) > > > >>> >>> >> Another data point I had been using option FILTER_GIF I tried a kernel >> without that option and it behaved the same. >> >> Steve >> > I agree I put a diag in ip_input.c if (ip->ip_ttl <= IPTTLDEC) { icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, 0, 0); return; and sure enough it is calling icmp_error, but I think it can't figure out how to route the packet back. I been looking at my SPD to see if I can make some adjustment to the policy that would help. -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson)