From owner-freebsd-stable@FreeBSD.ORG Fri Nov 14 18:57:28 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 36F5D106564A for ; Fri, 14 Nov 2008 18:57:28 +0000 (UTC) (envelope-from rnoland@FreeBSD.org) Received: from gizmo.2hip.net (gizmo.2hip.net [64.74.207.195]) by mx1.freebsd.org (Postfix) with ESMTP id 05D2F8FC08 for ; Fri, 14 Nov 2008 18:57:27 +0000 (UTC) (envelope-from rnoland@FreeBSD.org) Received: from [192.168.166.46] ([68.0.14.34]) (authenticated bits=0) by gizmo.2hip.net (8.14.3/8.14.3) with ESMTP id mAEIgcLL000454 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 14 Nov 2008 13:42:38 -0500 (EST) (envelope-from rnoland@FreeBSD.org) From: Robert Noland To: Julian Elischer In-Reply-To: <491DC28E.80804@elischer.org> References: <491B2703.4080707@earthlink.net> <491B31F7.30200@elischer.org> <491B4345.80106@earthlink.net> <491B47D2.6010804@elischer.org> <491C2235.4090509@earthlink.net> <1226589468.1976.12.camel@wombat.2hip.net> <491C4EC2.2000802@earthlink.net> <491D6CED.50006@earthlink.net> <491DC28E.80804@elischer.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-tc069wmrKhgBioXbSO26" Organization: FreeBSD Date: Fri, 14 Nov 2008 13:42:33 -0500 Message-Id: <1226688153.1719.23.camel@squirrel.corp.cox.com> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 FreeBSD GNOME Team Port X-Spam-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00, RCVD_IN_SORBS_DUL,RDNS_NONE autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on gizmo.2hip.net Cc: sclark46@earthlink.net, FreeBSD Stable , freebsd-net@freebsd.org Subject: Re: FreeBSD 6.3 gre and traceroute X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2008 18:57:28 -0000 --=-tc069wmrKhgBioXbSO26 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Fri, 2008-11-14 at 10:25 -0800, Julian Elischer wrote: > Stephen Clark wrote: > > Stephen Clark wrote: >=20 > >>>>> > >>>>> 10.0.129.1 FreeBSD workstation > >>>>> ^ > >>>>> | > >>>>> | ethernet > >>>>> | > >>>>> v > >>>>> 10.0.128.1 Freebsd FW "A" > >>>>> ^ > >>>>> | > >>>>> | gre / ipsec > >>>>> | > >>>>> v > >>>>> 192.168.3.1 FreeBSD FW "B" > >>>>> ^ > >>>>> | > >>>>> | ethernet > >>>>> | > >>>>> v > >>>>> 192.168.3.86 linux workstation > >>>>> >=20 > >> Also just using gre's without the=20 > >> underlying ipsec tunnels seems to > >> work properly. >=20 >=20 > This is the crux of the matter. > IPSEC happens INSIDE the IP stack. The IP stack is responsible for > the ICMP generation so it is much more likely that there is an=20 > interaction there. >=20 > Now is there an IPSEC rule to make sure that the ICMP packet can get=20 > back? It could b ehtat in teh IP stack there is some confusion as to=20 > whether the return packet should be encrypted or not and it might get=20 > dropped. >=20 > the code involved is in /sys/netinet and /sys/netipsec but you'll > probably regret looking in there ;-) Right, I don't really know the IPSEC code, but I was told by someone who is familiar with it that this is a known problem and that the use of GRE is not relevant. Hopefully he will have a moment to respond to this thread with a bit more detail. robert. >=20 >=20 > >> > >> > > Another data point I had been using option FILTER_GIF I tried a kernel > > without that option and it behaved the same. > >=20 > > Steve > >=20 >=20 --=-tc069wmrKhgBioXbSO26 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEABECAAYFAkkdxpkACgkQM4TrQ4qfROOSoACaAokr54u0DNH/moMLIh/OcHnu AD4An37Pckf5o83ALDHlDC+BSC7/BpaW =KaC6 -----END PGP SIGNATURE----- --=-tc069wmrKhgBioXbSO26--