From owner-freebsd-net@FreeBSD.ORG Fri Sep 17 08:19:59 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1EE3C106566C for ; Fri, 17 Sep 2010 08:19:59 +0000 (UTC) (envelope-from vl.varlog@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 9E7C48FC16 for ; Fri, 17 Sep 2010 08:19:58 +0000 (UTC) Received: by eyx24 with SMTP id 24so1134755eyx.13 for ; Fri, 17 Sep 2010 01:19:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:x-priority :message-id:to:cc:subject:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=PXisFd8CuuDJ/HSKqTJS8rGHB+yWuVTTGNA7c1gkgsE=; b=fnqCaj5+vxfzu16gXVl1H/n6paaiG/DB0M7lEFNRkHwphgIAqgqNPgiCoaez4aipNm YV1Wysqy3AQlZoaDc+7nfJKtnqVAEArezQ9qzuuc5E9XkFpRO3xligyQsvZbzQfrEET5 cPl7EQZ/NkvCWhwy45t50NdWFnVEXrOVgUJjM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:x-priority:message-id:to:cc:subject:in-reply-to :references:mime-version:content-type:content-transfer-encoding; b=KCwVCK6cQL75UCkWYUU39ciRDrr+Q0l1CGcP/nawXaVDUPHFgGfkgUmudWPSM61mjh +43gi5mR9rVR8KKv3pV2VK1EdNSX3DqdrBKbxWYAEmEi5NzmCNq2J8ETvXXJmKH23pgG R5FJRd68MooQG7kOQvt8NvhD3qAppW/iCG3T0= Received: by 10.213.28.131 with SMTP id m3mr6402527ebc.67.1284711597473; Fri, 17 Sep 2010 01:19:57 -0700 (PDT) Received: from v-grigorov-xp.mail.msk ([195.218.191.171]) by mx.google.com with ESMTPS id a48sm5340916eei.1.2010.09.17.01.19.53 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 17 Sep 2010 01:19:54 -0700 (PDT) Date: Fri, 17 Sep 2010 12:18:57 +0400 From: Vladimir Grigorov X-Priority: 3 (Normal) Message-ID: <1307024327.20100917121857@gmail.com> To: Tom Judge In-Reply-To: <4C923353.7090801@tomjudge.com> References: <4C923353.7090801@tomjudge.com> MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org Subject: Re: Fwd: Re: Strange FreeBSD behavior when trying to forward beetween ipsec crypted gif's. May be a problem with ICMP unreach packets at all X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2010 08:19:59 -0000 greets all > If you take a look at icmp_error() in sys/netinet/ip_icmp.c you will see > that icmp errors are not sent for packets that have been previously been > decrypted by IPSec. =20 May be some misunderstandings happens. I have gif and ipsec. IPSEC mode = is transport, that means, traffic encrypted only between gif's=20 outer addresses. As result, traffic in gif encrypted by encrypting ipip= container. But I can view traffic on gif by tcpdump as on=20 regular interfaces. E.g. gif's inner traffic not processed by ipsec at all