From owner-freebsd-net@FreeBSD.ORG  Thu Nov 13 15:59:01 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 06FF61065687;
	Thu, 13 Nov 2008 15:59:01 +0000 (UTC)
	(envelope-from sclark46@earthlink.net)
Received: from elasmtp-masked.atl.sa.earthlink.net
	(elasmtp-masked.atl.sa.earthlink.net [209.86.89.68])
	by mx1.freebsd.org (Postfix) with ESMTP id 9C8F98FC1D;
	Thu, 13 Nov 2008 15:59:00 +0000 (UTC)
	(envelope-from sclark46@earthlink.net)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net;
	b=NTgJfBHpf0wfvIsrKDUrR+18IlxDoSoP1rM1FjQQ2/XBPs72HgbmiET54N6MR2D9;
	h=Received:Message-ID:Date:From:Reply-To:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
Received: from [208.118.36.229] (helo=joker.seclark.com)
	by elasmtp-masked.atl.sa.earthlink.net with esmtpsa
	(TLSv1:AES256-SHA:256) (Exim 4.67)
	(envelope-from <sclark46@earthlink.net>)
	id 1L0eax-0004Zm-Hp; Thu, 13 Nov 2008 10:58:59 -0500
Message-ID: <491C4EC2.2000802@earthlink.net>
Date: Thu, 13 Nov 2008 10:58:58 -0500
From: Stephen Clark <sclark46@earthlink.net>
User-Agent: Thunderbird 2.0.0.16 (X11/20080723)
MIME-Version: 1.0
To: Robert Noland <rnoland@FreeBSD.org>
References: <491B2703.4080707@earthlink.net> <491B31F7.30200@elischer.org>	
	<491B4345.80106@earthlink.net> <491B47D2.6010804@elischer.org>	
	<491C2235.4090509@earthlink.net>
	<1226589468.1976.12.camel@wombat.2hip.net>
In-Reply-To: <1226589468.1976.12.camel@wombat.2hip.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-ELNK-Trace: a437fbc6971e80f61aa676d7e74259b7b3291a7d08dfec796380df5185e6bbbedf45d2d1a436eec3350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 208.118.36.229
Cc: freebsd-net@FreeBSD.org, Julian Elischer <julian@elischer.org>
Subject: Re: FreeBSD 6.3 gre and traceroute
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: sclark46@earthlink.net
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Nov 2008 15:59:01 -0000

Robert Noland wrote:
> On Thu, 2008-11-13 at 07:48 -0500, Stephen Clark wrote:
>> Julian Elischer wrote:
>>> Stephen Clark wrote:
>>>> Julian Elischer wrote:
>>>>> you will need to define the setup and question better.
>>> thanks.. cleaning it up a bit more...
>>>
>>> 10.0.129.1 FreeBSD workstation
>>>  ^
>>>  |
>>>  | ethernet
>>>  |
>>>  v
>>> 10.0.128.1 Freebsd FW "A"
>>>  ^
>>>  |
>>>  | gre / ipsec
>>>  |
>>>  v
>>> 192.168.3.1 FreeBSD FW "B"
>>>  ^
>>>  |
>>>  | ethernet
>>>  |
>>>  v
>>> 192.168.3.86 linux workstation
>>>
>>>> $ sudo traceroute 192.168.3.86
>>>> traceroute to 192.168.3.86 (192.168.3.86), 64 hops max, 40 byte packets
>>>>  1  HQFirewallRS.com (10.0.128.1)  0.575 ms  0.423 ms  0.173 ms
>>>>  2  * * *
>>>>  3  192.168.3.86 (192.168.3.86)  47.972 ms  45.174 ms  49.968 ms
>>>>
>>>> No response from the FreeBSD "B" box.
>>>>
>>>> When I do a tcpdump on "B" of the gre interface I see UDP packets
>>>> with a TTL of 1 but no ICMP response packets being sent back.
>>>> If I do the traceroute from the linux workstation 192.168.3.86 I get
>>>> similar results - I don't see a response from the FreeBSD "A" box.
>>> could you try using just GRE encasulation?
>>> (i.e. turn off IPSEC for now)
>>>
>>> I think that is much more likely to be where the problem is..
>>>
>>>
>> I'll have to set this up to test it.
> 
> The ttl exceeded is triggered from one of two places.  Either
> netinet/ip_fastfwd.c if fast_forwarding is enabled or in
> netinet/ip_input.c.  Look for the code relating to IPTTLDEC.  This isn't
> your problem though...  If ttl were not being decremented, the packet
> would just be forwarded on to the next hop (IP_STEALTH), which would
> just make the firewalls invisible.  The fact that you are seeing * * *
> indicates that you are not receiving the ttl exceeded message for the
> packet sent with that particular ttl.  I still think that the issue you
> are seeing is that one way or another the generated ICMP response isn't
> making it back onto the tunnel.  Either via security policy, firewall or
> routing.
Your right, when I do a tcpdump on the gre interface I see the udp packet come
in with a ttl=1 but I don't see a response icmp packet. I have tested this with
all the firewalls disabled to make sure the icmp packet was not being blocked.
I just ran another test and did tcpdump on all the other interfaces to make sure
the icmp's were not being misrouted, it seems they are not being generated for 
some reason. Also just using gre's without the underlying ipsec tunnels seems to
work properly.
> 
> robert.
> 
>> What code in the FreeBSD kernel is responsible for generating the response ICMP 
>> dest unreachable message?
>>


-- 

"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty
decreases."  (Thomas Jefferson)