From owner-freebsd-net@FreeBSD.ORG Tue May 27 18:40:21 2008 Return-Path: Delivered-To: net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ABC07106564A for ; Tue, 27 May 2008 18:40:21 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from s200aog16.obsmtp.com (s200aog16.obsmtp.com [207.126.144.130]) by mx1.freebsd.org (Postfix) with SMTP id DCAB88FC1A for ; Tue, 27 May 2008 18:40:20 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from source ([63.174.175.251]) by eu1sys200aob016.postini.com ([207.126.147.11]) with SMTP; Tue, 27 May 2008 18:40:19 UTC Received: from [172.17.2.235] (unknown [172.17.2.235]) by bbbx3.usdmm.com (Postfix) with ESMTP id 7F552FD019 for ; Tue, 27 May 2008 18:24:48 +0000 (UTC) Message-ID: <483C51EE.7040700@tomjudge.com> Date: Tue, 27 May 2008 13:24:46 -0500 From: Tom Judge User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: net@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: ICMP Error transmission/response over IPSec tunnels X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2008 18:40:21 -0000 Hi, Today I looked into why I can not get a traceroute across a IPSec IPIP tunnel an came across an interesting piece of code. Here is a diagram of the setup: [Node A] <-> [Router A] <-{IPSec}-> [Router B] <-> [Node B] If I traceroute from node A to node B I never see the ICMP packet for the TTL exceeded generated by router b. So I did a little digging and found and interesting revision of sys/netinet/ip_icmp.c. In revision 1.93 it seems ume@ added a check for the flag M_DECRYPTED in icmp_error() and if it was set do not generate the icmp error message. So my questions are: 1) Is this check really required? 2) If it is required what makes it required? Is it a problem in the icmp transmit path, or is there some other reason? 3) It seems the check originated from the KAME project, as FreeBSD no longer uses the KAME IPSec implementation is check still required? I found the same check in the netbsd code, but could not find a similar check in openbsd (although the openbsd ipsec implementation is some what different from netbsd and freebsd). Any information about this would be appreciated as I would like to be able to do traceroutes across my wan. Thanks Tom