From owner-freebsd-net@FreeBSD.ORG  Thu Sep 16 14:28:37 2010
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2CA1C106566C
	for <freebsd-net@freebsd.org>; Thu, 16 Sep 2010 14:28:37 +0000 (UTC)
	(envelope-from vl.varlog@gmail.com)
Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com
	[209.85.215.54])
	by mx1.freebsd.org (Postfix) with ESMTP id A73738FC14
	for <freebsd-net@freebsd.org>; Thu, 16 Sep 2010 14:28:36 +0000 (UTC)
Received: by ewy22 with SMTP id 22so712301ewy.13
	for <freebsd-net@freebsd.org>; Thu, 16 Sep 2010 07:28:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:date:from:x-priority
	:message-id:to:subject:mime-version:content-type
	:content-transfer-encoding;
	bh=x9V7EyqERXgKsF2CbVjlXUmFS3rU/scegGcqtqdp0d4=;
	b=x1l8qWIDmkz5zUorsDec58VUlVRNWAMEjxzNhVsgBMMiGtzVScpWGAkwnhTYW+NaRx
	J4EIpM7yWHTjHvCYhrrhEvwQwhp0Q88CawVvTF+Uv0Kbprhanln4wsLf9W2MH9bvaEmF
	cmYgPXnc8upbHDKtyKY45L2430774dwxRcu2w=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=date:from:x-priority:message-id:to:subject:mime-version
	:content-type:content-transfer-encoding;
	b=Km3FGo1ZGoZjxkSKCvK83PGZjL+IL59A5Wpk466pdQGnnUtVpPTm0Xl70vDUmQbmIt
	yAOjHLrxzvhEvZAuReDXdOe6CXQMJDAH0A/4Evxj6/kf99xXnkC8tiF+uUQAwb6npMVH
	o119bouxXs3gKtCFhiIZ9hEXh9ScEXiNSfi2Y=
Received: by 10.213.33.194 with SMTP id i2mr2470914ebd.10.1284645710928;
	Thu, 16 Sep 2010 07:01:50 -0700 (PDT)
Received: from v-grigorov-xp.mail.msk ([195.218.191.171])
	by mx.google.com with ESMTPS id v59sm3949869eeh.16.2010.09.16.07.01.46
	(version=TLSv1/SSLv3 cipher=OTHER);
	Thu, 16 Sep 2010 07:01:47 -0700 (PDT)
Date: Thu, 16 Sep 2010 18:00:53 +0400
From: Vladimir Grigorov <vl.varlog@gmail.com>
X-Priority: 3 (Normal)
Message-ID: <273436110.20100916180053@gmail.com>
To: freebsd-net@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1251
Content-Transfer-Encoding: quoted-printable
Subject: Strange FreeBSD behavior when trying to forward beetween ipsec
	crypted gif's. May be a problem with ICMP unreach packets at all
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Sep 2010 14:28:37 -0000

Greetings all.


I have strange problems related to passage icmp need-frag packets, and, as =
result, all packets with packets length greater than output gif MTU.

Network diagram:

[HostA] -- (mtu 1500) --- [FW1] --- ipsec gif mtu 1280 <-gif1 -- [FW2] - gi=
f0 -> ipsec gif mtu 6100 - [FW3] -(mtu 1500) - [HostB]

All FW's - Freebsd hosts
HostA - freebsd host
HostB - Cisco 3750e switch in L3 mode

HostA can reach HostB and vice versa. Ping with length above 1280 works fin=
e (pmtu =3D 1280). Ping with len=3D1281 without df bit also work fine. But =
ping with mtu 1281 fails.=20

Question: Why FW2 does not send ICMP need-fragment-but-DF-set message to Ho=
stB ?=20

I try to permit icmp from all interfaces on FW2, explicit send unreachable =
packet for all ip packets from defined source ip - nothing happens. I see i=
ncreased packets counts related my source ip, but cant see responce icmps w=
ith unreachable code

uname -a
FreeBSD fw2-mru.astrum-nival.com 8.0-RELEASE-p3 FreeBSD 8.0-RELEASE-p3 #3: =
Thu Jul  1 18:24:35 MSD 2010     root@fw2-mru.astrum-nival.com:/usr/obj/usr=
/src/sys/gw  amd64

ifconfig gif0
gif0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 6100
        tunnel inet 217.69.143.28 --> 217.69.143.57
        inet 10.192.224.5 --> 10.192.224.6 netmask 0xfffffffc=20
        options=3D1<ACCEPT_REV_ETHIP_VER>

ifconfig gif1
gif1: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet 217.69.143.28 --> 88.212.205.166
        inet 10.160.192.6 --> 10.160.192.5 netmask 0xfffffffc=20
        options=3D1<ACCEPT_REV_ETHIP_VER>

netstat -nr | grep 192.168.224

192.168.224.0/22   10.192.224.6       UG1         0 36031303   gif0

netstat -nr | grep 192.168.160.
192.168.160.0/24   10.160.192.5       UG1         0 10969867   gif1

# ipfw show
00006           10            6505 allow icmp from any to 192.168.225.1 via=
 gif0
00100     10524445      1225052712 allow ip from any to any via lo0
00200            0               0 deny ip from any to 127.0.0.0/8
00300            0               0 deny ip from 127.0.0.0/8 to any
00305         2054          433651 allow icmp from any to any via gif0 icmp=
types 3,11
00306            0               0 allow icmp from any to 192.168.225.1 via=
 gif0
00310         6960          575159 nat 220 ip from table(10) to any via vla=
n220
00315         1198           70832 deny ip from not me to 192.168.66.0/23 o=
ut xmit vlan220
00320         6512         1611912 nat 220 ip from 192.168.66.0/23 to 192.1=
68.13.199 in recv vlan220
00400    114560294      8963623578 nat 123 ip from 192.168.196.0/24 to any =
out via vlan506
00402     36831424      2199804860 nat 123 ip from 192.168.193.0/24 to any =
out via vlan506
00403       153380         9265905 nat 123 ip from 192.168.197.0/24 to any =
out via vlan506
00500            0               0 nat 123 ip from any to 195.211.130.9 in =
via vlan506
00501    147593882    174870597871 nat 123 ip from any to 195.211.130.9 in =
via vlan500
01100            0               0 allow tcp from table(21) to table(23) ds=
t-port 29000
01110            0               0 deny tcp from table(22) to table(23) dst=
-port 29000
01120            3             144 deny tcp from table(20) to table(23) dst=
-port 29000
65530 589120438508 133855063718386 allow ip from any to any
65535            0               0 deny ip from any to any

try to ping from cisco:

c3750e.gldn#ping 192.168.160.248 source 192.168.225.1 repea 5 size 1281 df

Type escape sequence to abort.
Sending 5, 1281-byte ICMP Echos to 192.168.160.248, timeout is 2 seconds:
Packet sent with a source address of 192.168.225.1=20
Packet sent with the DF bit set
.....
Success rate is 0 percent (0/5)

tcpdump on gif0 (large mtu before small mtu gif)

[root@fw2-mru ~]# tcpdump -i gif0 -vvv -n host 192.168.225.1=20
tcpdump: listening on gif0, link-type NULL (BSD loopback), capture size 96 =
bytes
17:55:54.006210 IP (tos 0x0, ttl 254, id 805, offset 0, flags [DF], proto I=
CMP (1), length 1281)
    192.168.225.1 > 192.168.160.248: ICMP echo request, id 161, seq 0, leng=
th 1261
17:55:56.013039 IP (tos 0x0, ttl 254, id 806, offset 0, flags [DF], proto I=
CMP (1), length 1281)
    192.168.225.1 > 192.168.160.248: ICMP echo request, id 161, seq 1, leng=
th 1261
17:55:58.015870 IP (tos 0x0, ttl 254, id 807, offset 0, flags [DF], proto I=
CMP (1), length 1281)
    192.168.225.1 > 192.168.160.248: ICMP echo request, id 161, seq 2, leng=
th 1261
17:56:00.020833 IP (tos 0x0, ttl 254, id 808, offset 0, flags [DF], proto I=
CMP (1), length 1281)
    192.168.225.1 > 192.168.160.248: ICMP echo request, id 161, seq 3, leng=
th 1261
17:56:02.027756 IP (tos 0x0, ttl 254, id 809, offset 0, flags [DF], proto I=
CMP (1), length 1281)
    192.168.225.1 > 192.168.160.248: ICMP echo request, id 161, seq 4, leng=
th 1261
^C
5 packets captured
99753 packets received by filter
0 packets dropped by kernel

tcpdump on gif1 (small mtu on route to destination)

(nothing)

but if i omit df on cisco:

[root@fw2-mru ~]# tcpdump -i gif1 -vvv -n host 192.168.225.1=20
tcpdump: listening on gif1, link-type NULL (BSD loopback), capture size 96 =
bytes
17:59:03.083053 IP (tos 0x0, ttl 253, id 815, offset 0, flags [+], proto IC=
MP (1), length 1276)
    192.168.225.1 > 192.168.160.248: ICMP echo request, id 163, seq 0, leng=
th 1256
17:59:03.083147 IP (tos 0x0, ttl 253, id 815, offset 1256, flags [none], pr=
oto ICMP (1), length 25)
    192.168.225.1 > 192.168.160.248: icmp
17:59:03.090882 IP (tos 0x0, ttl 253, id 816, offset 0, flags [+], proto IC=
MP (1), length 1276)
    192.168.225.1 > 192.168.160.248: ICMP echo request, id 163, seq 1, leng=
th 1256
17:59:03.090976 IP (tos 0x0, ttl 253, id 816, offset 1256, flags [none], pr=
oto ICMP (1), length 25)
    192.168.225.1 > 192.168.160.248: icmp
17:59:03.097254 IP (tos 0x0, ttl 253, id 817, offset 0, flags [+], proto IC=
MP (1), length 1276)
    192.168.225.1 > 192.168.160.248: ICMP echo request, id 163, seq 2, leng=
th 1256
17:59:03.097346 IP (tos 0x0, ttl 253, id 817, offset 1256, flags [none], pr=
oto ICMP (1), length 25)
    192.168.225.1 > 192.168.160.248: icmp
17:59:03.105749 IP (tos 0x0, ttl 253, id 818, offset 0, flags [+], proto IC=
MP (1), length 1276)
    192.168.225.1 > 192.168.160.248: ICMP echo request, id 163, seq 3, leng=
th 1256
17:59:03.105844 IP (tos 0x0, ttl 253, id 818, offset 1256, flags [none], pr=
oto ICMP (1), length 25)
    192.168.225.1 > 192.168.160.248: icmp
17:59:03.115617 IP (tos 0x0, ttl 253, id 819, offset 0, flags [+], proto IC=
MP (1), length 1276)
    192.168.225.1 > 192.168.160.248: ICMP echo request, id 163, seq 4, leng=
th 1256
17:59:03.115707 IP (tos 0x0, ttl 253, id 819, offset 1256, flags [none], pr=
oto ICMP (1), length 25)
    192.168.225.1 > 192.168.160.248: icmp

e.g. destination reachable, fragmentation work, routes symmetrical.

any comments ?


--=20
=D1 =F3=E2=E0=E6=E5=ED=E8=E5=EC,
 Vladimir                          mailto:vl.varlog@gmail.com