From owner-freebsd-stable@FreeBSD.ORG Fri Nov 14 12:20:02 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C6C4106564A; Fri, 14 Nov 2008 12:20:02 +0000 (UTC) (envelope-from sclark46@earthlink.net) Received: from elasmtp-kukur.atl.sa.earthlink.net (elasmtp-kukur.atl.sa.earthlink.net [209.86.89.65]) by mx1.freebsd.org (Postfix) with ESMTP id 378398FC13; Fri, 14 Nov 2008 12:20:02 +0000 (UTC) (envelope-from sclark46@earthlink.net) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=IwbhOQ6H4EBtyGj5jBbKA4fUMaG4rq59hhK5YLhV6UQMcU4sBlIGQX1glIlGLTmQ; h=Received:Message-ID:Date:From:Reply-To:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [208.118.36.229] (helo=joker.seclark.com) by elasmtp-kukur.atl.sa.earthlink.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.67) (envelope-from ) id 1L0xeZ-0000AJ-52; Fri, 14 Nov 2008 07:19:59 -0500 Message-ID: <491D6CED.50006@earthlink.net> Date: Fri, 14 Nov 2008 07:19:57 -0500 From: Stephen Clark User-Agent: Thunderbird 2.0.0.16 (X11/20080723) MIME-Version: 1.0 To: sclark46@earthlink.net References: <491B2703.4080707@earthlink.net> <491B31F7.30200@elischer.org> <491B4345.80106@earthlink.net> <491B47D2.6010804@elischer.org> <491C2235.4090509@earthlink.net> <1226589468.1976.12.camel@wombat.2hip.net> <491C4EC2.2000802@earthlink.net> In-Reply-To: <491C4EC2.2000802@earthlink.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-ELNK-Trace: a437fbc6971e80f61aa676d7e74259b7b3291a7d08dfec79345431f6a6dfb6738d00235df17b1d8d350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 208.118.36.229 Cc: freebsd-net@freebsd.org, FreeBSD Stable , Julian Elischer , Robert Noland Subject: Re: FreeBSD 6.3 gre and traceroute X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: sclark46@earthlink.net List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2008 12:20:02 -0000 Stephen Clark wrote: > Robert Noland wrote: >> On Thu, 2008-11-13 at 07:48 -0500, Stephen Clark wrote: >>> Julian Elischer wrote: >>>> Stephen Clark wrote: >>>>> Julian Elischer wrote: >>>>>> you will need to define the setup and question better. >>>> thanks.. cleaning it up a bit more... >>>> >>>> 10.0.129.1 FreeBSD workstation >>>> ^ >>>> | >>>> | ethernet >>>> | >>>> v >>>> 10.0.128.1 Freebsd FW "A" >>>> ^ >>>> | >>>> | gre / ipsec >>>> | >>>> v >>>> 192.168.3.1 FreeBSD FW "B" >>>> ^ >>>> | >>>> | ethernet >>>> | >>>> v >>>> 192.168.3.86 linux workstation >>>> >>>>> $ sudo traceroute 192.168.3.86 >>>>> traceroute to 192.168.3.86 (192.168.3.86), 64 hops max, 40 byte >>>>> packets >>>>> 1 HQFirewallRS.com (10.0.128.1) 0.575 ms 0.423 ms 0.173 ms >>>>> 2 * * * >>>>> 3 192.168.3.86 (192.168.3.86) 47.972 ms 45.174 ms 49.968 ms >>>>> >>>>> No response from the FreeBSD "B" box. >>>>> >>>>> When I do a tcpdump on "B" of the gre interface I see UDP packets >>>>> with a TTL of 1 but no ICMP response packets being sent back. >>>>> If I do the traceroute from the linux workstation 192.168.3.86 I get >>>>> similar results - I don't see a response from the FreeBSD "A" box. >>>> could you try using just GRE encasulation? >>>> (i.e. turn off IPSEC for now) >>>> >>>> I think that is much more likely to be where the problem is.. >>>> >>>> >>> I'll have to set this up to test it. >> >> The ttl exceeded is triggered from one of two places. Either >> netinet/ip_fastfwd.c if fast_forwarding is enabled or in >> netinet/ip_input.c. Look for the code relating to IPTTLDEC. This isn't >> your problem though... If ttl were not being decremented, the packet >> would just be forwarded on to the next hop (IP_STEALTH), which would >> just make the firewalls invisible. The fact that you are seeing * * * >> indicates that you are not receiving the ttl exceeded message for the >> packet sent with that particular ttl. I still think that the issue you >> are seeing is that one way or another the generated ICMP response isn't >> making it back onto the tunnel. Either via security policy, firewall or >> routing. > Your right, when I do a tcpdump on the gre interface I see the udp > packet come > in with a ttl=1 but I don't see a response icmp packet. I have tested > this with > all the firewalls disabled to make sure the icmp packet was not being > blocked. > I just ran another test and did tcpdump on all the other interfaces to > make sure > the icmp's were not being misrouted, it seems they are not being > generated for some reason. Also just using gre's without the underlying > ipsec tunnels seems to > work properly. >> >> robert. >> >>> What code in the FreeBSD kernel is responsible for generating the >>> response ICMP dest unreachable message? >>> > > Another data point I had been using option FILTER_GIF I tried a kernel without that option and it behaved the same. Steve -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson)