Date: Fri, 14 Nov 2008 13:42:33 -0500 From: Robert Noland <rnoland@FreeBSD.org> To: Julian Elischer <julian@elischer.org> Cc: sclark46@earthlink.net, FreeBSD Stable <freebsd-stable@freebsd.org>, freebsd-net@freebsd.org Subject: Re: FreeBSD 6.3 gre and traceroute Message-ID: <1226688153.1719.23.camel@squirrel.corp.cox.com> In-Reply-To: <491DC28E.80804@elischer.org> References: <491B2703.4080707@earthlink.net> <491B31F7.30200@elischer.org> <491B4345.80106@earthlink.net> <491B47D2.6010804@elischer.org> <491C2235.4090509@earthlink.net> <1226589468.1976.12.camel@wombat.2hip.net> <491C4EC2.2000802@earthlink.net> <491D6CED.50006@earthlink.net> <491DC28E.80804@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-tc069wmrKhgBioXbSO26 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Fri, 2008-11-14 at 10:25 -0800, Julian Elischer wrote: > Stephen Clark wrote: > > Stephen Clark wrote: >=20 > >>>>> > >>>>> 10.0.129.1 FreeBSD workstation > >>>>> ^ > >>>>> | > >>>>> | ethernet > >>>>> | > >>>>> v > >>>>> 10.0.128.1 Freebsd FW "A" > >>>>> ^ > >>>>> | > >>>>> | gre / ipsec > >>>>> | > >>>>> v > >>>>> 192.168.3.1 FreeBSD FW "B" > >>>>> ^ > >>>>> | > >>>>> | ethernet > >>>>> | > >>>>> v > >>>>> 192.168.3.86 linux workstation > >>>>> >=20 > >> Also just using gre's without the=20 > >> underlying ipsec tunnels seems to > >> work properly. >=20 >=20 > This is the crux of the matter. > IPSEC happens INSIDE the IP stack. The IP stack is responsible for > the ICMP generation so it is much more likely that there is an=20 > interaction there. >=20 > Now is there an IPSEC rule to make sure that the ICMP packet can get=20 > back? It could b ehtat in teh IP stack there is some confusion as to=20 > whether the return packet should be encrypted or not and it might get=20 > dropped. >=20 > the code involved is in /sys/netinet and /sys/netipsec but you'll > probably regret looking in there ;-) Right, I don't really know the IPSEC code, but I was told by someone who is familiar with it that this is a known problem and that the use of GRE is not relevant. Hopefully he will have a moment to respond to this thread with a bit more detail. robert. >=20 >=20 > >> > >> > > Another data point I had been using option FILTER_GIF I tried a kernel > > without that option and it behaved the same. > >=20 > > Steve > >=20 >=20 --=-tc069wmrKhgBioXbSO26 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEABECAAYFAkkdxpkACgkQM4TrQ4qfROOSoACaAokr54u0DNH/moMLIh/OcHnu AD4An37Pckf5o83ALDHlDC+BSC7/BpaW =KaC6 -----END PGP SIGNATURE----- --=-tc069wmrKhgBioXbSO26--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1226688153.1719.23.camel>