From owner-freebsd-net@FreeBSD.ORG Thu Nov 13 15:59:01 2008 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06FF61065687; Thu, 13 Nov 2008 15:59:01 +0000 (UTC) (envelope-from sclark46@earthlink.net) Received: from elasmtp-masked.atl.sa.earthlink.net (elasmtp-masked.atl.sa.earthlink.net [209.86.89.68]) by mx1.freebsd.org (Postfix) with ESMTP id 9C8F98FC1D; Thu, 13 Nov 2008 15:59:00 +0000 (UTC) (envelope-from sclark46@earthlink.net) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=NTgJfBHpf0wfvIsrKDUrR+18IlxDoSoP1rM1FjQQ2/XBPs72HgbmiET54N6MR2D9; h=Received:Message-ID:Date:From:Reply-To:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [208.118.36.229] (helo=joker.seclark.com) by elasmtp-masked.atl.sa.earthlink.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.67) (envelope-from ) id 1L0eax-0004Zm-Hp; Thu, 13 Nov 2008 10:58:59 -0500 Message-ID: <491C4EC2.2000802@earthlink.net> Date: Thu, 13 Nov 2008 10:58:58 -0500 From: Stephen Clark User-Agent: Thunderbird 2.0.0.16 (X11/20080723) MIME-Version: 1.0 To: Robert Noland References: <491B2703.4080707@earthlink.net> <491B31F7.30200@elischer.org> <491B4345.80106@earthlink.net> <491B47D2.6010804@elischer.org> <491C2235.4090509@earthlink.net> <1226589468.1976.12.camel@wombat.2hip.net> In-Reply-To: <1226589468.1976.12.camel@wombat.2hip.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-ELNK-Trace: a437fbc6971e80f61aa676d7e74259b7b3291a7d08dfec796380df5185e6bbbedf45d2d1a436eec3350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 208.118.36.229 Cc: freebsd-net@FreeBSD.org, Julian Elischer Subject: Re: FreeBSD 6.3 gre and traceroute X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: sclark46@earthlink.net List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2008 15:59:01 -0000 Robert Noland wrote: > On Thu, 2008-11-13 at 07:48 -0500, Stephen Clark wrote: >> Julian Elischer wrote: >>> Stephen Clark wrote: >>>> Julian Elischer wrote: >>>>> you will need to define the setup and question better. >>> thanks.. cleaning it up a bit more... >>> >>> 10.0.129.1 FreeBSD workstation >>> ^ >>> | >>> | ethernet >>> | >>> v >>> 10.0.128.1 Freebsd FW "A" >>> ^ >>> | >>> | gre / ipsec >>> | >>> v >>> 192.168.3.1 FreeBSD FW "B" >>> ^ >>> | >>> | ethernet >>> | >>> v >>> 192.168.3.86 linux workstation >>> >>>> $ sudo traceroute 192.168.3.86 >>>> traceroute to 192.168.3.86 (192.168.3.86), 64 hops max, 40 byte packets >>>> 1 HQFirewallRS.com (10.0.128.1) 0.575 ms 0.423 ms 0.173 ms >>>> 2 * * * >>>> 3 192.168.3.86 (192.168.3.86) 47.972 ms 45.174 ms 49.968 ms >>>> >>>> No response from the FreeBSD "B" box. >>>> >>>> When I do a tcpdump on "B" of the gre interface I see UDP packets >>>> with a TTL of 1 but no ICMP response packets being sent back. >>>> If I do the traceroute from the linux workstation 192.168.3.86 I get >>>> similar results - I don't see a response from the FreeBSD "A" box. >>> could you try using just GRE encasulation? >>> (i.e. turn off IPSEC for now) >>> >>> I think that is much more likely to be where the problem is.. >>> >>> >> I'll have to set this up to test it. > > The ttl exceeded is triggered from one of two places. Either > netinet/ip_fastfwd.c if fast_forwarding is enabled or in > netinet/ip_input.c. Look for the code relating to IPTTLDEC. This isn't > your problem though... If ttl were not being decremented, the packet > would just be forwarded on to the next hop (IP_STEALTH), which would > just make the firewalls invisible. The fact that you are seeing * * * > indicates that you are not receiving the ttl exceeded message for the > packet sent with that particular ttl. I still think that the issue you > are seeing is that one way or another the generated ICMP response isn't > making it back onto the tunnel. Either via security policy, firewall or > routing. Your right, when I do a tcpdump on the gre interface I see the udp packet come in with a ttl=1 but I don't see a response icmp packet. I have tested this with all the firewalls disabled to make sure the icmp packet was not being blocked. I just ran another test and did tcpdump on all the other interfaces to make sure the icmp's were not being misrouted, it seems they are not being generated for some reason. Also just using gre's without the underlying ipsec tunnels seems to work properly. > > robert. > >> What code in the FreeBSD kernel is responsible for generating the response ICMP >> dest unreachable message? >> -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson)