Date: Thu, 13 Nov 2008 07:46:19 -0500 From: Stephen Clark <sclark46@earthlink.net> To: Robert Noland <rnoland@FreeBSD.org> Cc: freebsd-net@FreeBSD.org, Julian Elischer <julian@elischer.org> Subject: Re: FreeBSD 6.3 gre and traceroute Message-ID: <491C219B.1050606@earthlink.net> In-Reply-To: <1226525816.61187.35.camel@squirrel.corp.cox.com> References: <491B2703.4080707@earthlink.net> <491B31F7.30200@elischer.org> <491B4345.80106@earthlink.net> <491B47D2.6010804@elischer.org> <1226525816.61187.35.camel@squirrel.corp.cox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Noland wrote: > On Wed, 2008-11-12 at 13:17 -0800, Julian Elischer wrote: >> Stephen Clark wrote: >>> Julian Elischer wrote: >>>> you will need to define the setup and question better. >> thanks.. cleaning it up a bit more... >> >> 10.0.129.1 FreeBSD workstation >> ^ >> | >> | ethernet >> | >> v >> 10.0.128.1 Freebsd FW "A" >> ^ >> | >> | gre / ipsec >> | >> v >> 192.168.3.1 FreeBSD FW "B" >> ^ >> | >> | ethernet >> | >> v >> 192.168.3.86 linux workstation > > How are you mapping packets onto the gre? If firewall B doesn't know > how to reach the FreeBSD workstation directly, you will see the issue > that you describe. Can you ping 10.0.129.1 from Firewall B? The ttl > expired will be generated by Firewall B. ospf - I can ping 192.168.3.1 from the FreeBSD Workstation just fine in fact all the systems can ping just fine. > > robert. > >>> $ sudo traceroute 192.168.3.86 >>> traceroute to 192.168.3.86 (192.168.3.86), 64 hops max, 40 byte packets >>> 1 HQFirewallRS.com (10.0.128.1) 0.575 ms 0.423 ms 0.173 ms >>> 2 * * * >>> 3 192.168.3.86 (192.168.3.86) 47.972 ms 45.174 ms 49.968 ms >>> >>> No response from the FreeBSD "B" box. >>> >>> When I do a tcpdump on "B" of the gre interface I see UDP packets >>> with a TTL of 1 but no ICMP response packets being sent back. >>> If I do the traceroute from the linux workstation 192.168.3.86 I get >>> similar results - I don't see a response from the FreeBSD "A" box. >> could you try using just GRE encasulation? >> (i.e. turn off IPSEC for now) >> >> I think that is much more likely to be where the problem is.. >> >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?491C219B.1050606>