From owner-freebsd-net@FreeBSD.ORG Tue May 27 21:08:43 2008 Return-Path: Delivered-To: net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 494231065674 for ; Tue, 27 May 2008 21:08:43 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from s200aog17.obsmtp.com (s200aog17.obsmtp.com [207.126.144.131]) by mx1.freebsd.org (Postfix) with SMTP id 45E648FC12 for ; Tue, 27 May 2008 21:08:41 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from source ([63.174.175.251]) by eu1sys200aob017.postini.com ([207.126.147.11]) with SMTP; Tue, 27 May 2008 21:08:40 UTC Received: from [172.17.2.235] (unknown [172.17.2.235]) by bbbx3.usdmm.com (Postfix) with ESMTP id 671E1FD023; Tue, 27 May 2008 21:08:40 +0000 (UTC) Message-ID: <483C7858.5000302@tomjudge.com> Date: Tue, 27 May 2008 16:08:40 -0500 From: Tom Judge User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <483C51EE.7040700@tomjudge.com> <20080527201331.L65662@maildrop.int.zabbadoz.net> <483C70A9.2060500@tomjudge.com> <20080527204111.F65662@maildrop.int.zabbadoz.net> In-Reply-To: <20080527204111.F65662@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: net@FreeBSD.org Subject: Re: ICMP Error transmission/response over IPSec tunnels X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2008 21:08:43 -0000 Bjoern A. Zeeb wrote: > On Tue, 27 May 2008, Tom Judge wrote: > > Hi, > >> Yes we do indeed see a reply from node b. It is good to here that >> this is a known issue. >> >> The IPSec configuration is a gif ipip tunnel that is then encrypted >> with IPSec using esp in tunnel mode as per the ipsec vpn section in >> the handbook. > > 1) if you do not need the ipip tunnel because you need an interface > and "link state changes" only go with the IPsec tunnel mode. > > 2) If you need the gi tunnel on top and routing, use IPsec transport > mode. > > (ignore the handbook, try to understand it;) I have 13 nodes in a parital mesh running ospf for routing. It would not be trivial for me to switch from tunnel to transport mode. Also I have not tested quagga in when the ipsec is in transport mode, and I guess I do need interfaces to use with quagga. I may test fixing this additional overhead, but as they say if it's not broken don't fix it. > >> Do you have any more information on the underlying source of the >> problem? If so it would help me find the problem. I may setup a >> small test network to find this problem this evening time permitting. > > a test network is not a problem. time is. > > Please understand that I was not asking for you to fix this problem just for some pointers into where to start looking. The reason I ask is that you seem to know in what region that the error exists and it would be helpful to me if you could tell me so that I could try to find a solution to the problem myself. At a guess the code that I need to look as it in icmp_error() or further down the icmp transmit path (maybe icmp_reflect or further?). Thanks again. Tom