From owner-freebsd-net@FreeBSD.ORG Mon Mar 21 17:01:06 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7EBA61065670 for ; Mon, 21 Mar 2011 17:01:06 +0000 (UTC) (envelope-from andrei.manescu@ivorde.ro) Received: from mail.ivorde.ro (mail.ivorde.ro [82.76.71.249]) by mx1.freebsd.org (Postfix) with ESMTP id BEFCE8FC17 for ; Mon, 21 Mar 2011 17:01:05 +0000 (UTC) Comment: DomainKeys? See http://domainkeys.sourceforge.net/ DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=ivorde.ro; b=n750Glg0ITE08Zvhh0eL9KK9CxiAfOI/HThjUpH3UUs7DJKbzXCimMM2ZnsvVz0M2CSORVFz75O6aIMw42fea5v0ySuzBD62wFfYfYKgejDlboqlaQue0spoSp0TU3Wd; h=Received:Received:Received:Received:MIME-Version:Date:From:To:Subject:Reply-To:Message-ID:X-Sender:User-Agent:Content-Type; DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=ivorde.ro; h=mime-version :date:from:to:subject:reply-to:message-id:content-type; s= default; bh=aU9yh8vnQ+6sFsQigFwyUZQto/Y=; b=vmcLM+BcJLOn0I6FPxIE 0Ne5VBAEe7Y0AgScTSITkchInDSdUaFjgC99l4aiN12g/NDUxz1oW2w+Ng2P6CiA EI/+SoHf5dZsGYI7HivkC8TZHMPlmyPtcFHopnfic7mQ Received: (qmail 81838 invoked by uid 0); 21 Mar 2011 18:30:45 +0200 Received: from azguard.ivorde.ro by mail.ivorde.ro (envelope-from , uid 1001) with qmail-scanner-2.08st (clamdscan: 0.97/12664. spamassassin: 3.2.5. perlscan: 2.08st. Clear:RC:1(10.1.1.22):. Processed in 0.11474 secs); 21 Mar 2011 16:30:45 -0000 Received: from azguard.ivorde.ro (10.1.1.22) by mail.ivorde.ro with SMTP; 21 Mar 2011 18:30:44 +0200 Received: from mail.ivorde.ro (www.flashleasing.ro [192.168.1.10]) (Authenticated sender: andrei.manescu@ivorde.ro) by azguard.ivorde.ro (Postfix) with ESMTPA id 718D5820BC for ; Mon, 21 Mar 2011 18:34:26 +0200 (EET) MIME-Version: 1.0 Date: Mon, 21 Mar 2011 18:30:44 +0200 From: Andrei Manescu - Ivorde To: Message-ID: X-Sender: andrei.manescu@ivorde.ro User-Agent: excy.nl mail Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: tcp/ip stack sending icmp "ttl exceeded in traffic" back through gre \w ipsec-esp encryption tunnels. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: andrei@ivorde.ro List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Mar 2011 17:01:06 -0000 Hello, I was following up on this old thread "ICMP Error transmission/response over IPSec tunnels [1]" as I'm running into a similar issue on 7.4-STABLE: Problem: RouterA and RouterB in the following diagram are FreeBSD 6.4-STABLE and 7.4-STABLE running a gre tunnel and ipsec transport mode encryption on top of it. None of them send an icmp error "TTL Exceeded in traffic" when the TTL of the packet reaches 0 after they decrement it. Code: hostA----RouterA--GRE-inside-IPSEC/ESP/transport---RouterB---hostB Packets sent from hostA to hostB with a TTL2 that should have an ICMP "TTL exceeded in traffic" returned by RouterB have no effect. Of course, TTL3 packets are being returned by hostB through RouterB and back through the tunnel. Any plans from tcp/ip stack developers regarding this behavior ? -- Regards, Andrei Manescu Links: ------ [1] http://groups.google.com/group/mailing.freebsd.net/browse_thread/thread/1e121c81e44c88b4/9927ce8abc6d7de9