Date: Fri, 14 Nov 2008 10:25:18 -0800 From: Julian Elischer <julian@elischer.org> To: sclark46@earthlink.net Cc: freebsd-net@freebsd.org, FreeBSD Stable <freebsd-stable@freebsd.org>, Robert Noland <rnoland@freebsd.org> Subject: Re: FreeBSD 6.3 gre and traceroute Message-ID: <491DC28E.80804@elischer.org> In-Reply-To: <491D6CED.50006@earthlink.net> References: <491B2703.4080707@earthlink.net> <491B31F7.30200@elischer.org> <491B4345.80106@earthlink.net> <491B47D2.6010804@elischer.org> <491C2235.4090509@earthlink.net> <1226589468.1976.12.camel@wombat.2hip.net> <491C4EC2.2000802@earthlink.net> <491D6CED.50006@earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Stephen Clark wrote: > Stephen Clark wrote: >>>>> >>>>> 10.0.129.1 FreeBSD workstation >>>>> ^ >>>>> | >>>>> | ethernet >>>>> | >>>>> v >>>>> 10.0.128.1 Freebsd FW "A" >>>>> ^ >>>>> | >>>>> | gre / ipsec >>>>> | >>>>> v >>>>> 192.168.3.1 FreeBSD FW "B" >>>>> ^ >>>>> | >>>>> | ethernet >>>>> | >>>>> v >>>>> 192.168.3.86 linux workstation >>>>> >> Also just using gre's without the >> underlying ipsec tunnels seems to >> work properly. This is the crux of the matter. IPSEC happens INSIDE the IP stack. The IP stack is responsible for the ICMP generation so it is much more likely that there is an interaction there. Now is there an IPSEC rule to make sure that the ICMP packet can get back? It could b ehtat in teh IP stack there is some confusion as to whether the return packet should be encrypted or not and it might get dropped. the code involved is in /sys/netinet and /sys/netipsec but you'll probably regret looking in there ;-) >> >> > Another data point I had been using option FILTER_GIF I tried a kernel > without that option and it behaved the same. > > Steve >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?491DC28E.80804>