Date: Fri, 14 Nov 2008 13:36:58 -0500 From: Stephen Clark <sclark46@earthlink.net> To: Julian Elischer <julian@elischer.org> Cc: freebsd-net@freebsd.org, FreeBSD Stable <freebsd-stable@freebsd.org>, Robert Noland <rnoland@freebsd.org> Subject: Re: FreeBSD 6.3 gre and traceroute Message-ID: <491DC54A.1090907@earthlink.net> In-Reply-To: <491DC28E.80804@elischer.org> References: <491B2703.4080707@earthlink.net> <491B31F7.30200@elischer.org> <491B4345.80106@earthlink.net> <491B47D2.6010804@elischer.org> <491C2235.4090509@earthlink.net> <1226589468.1976.12.camel@wombat.2hip.net> <491C4EC2.2000802@earthlink.net> <491D6CED.50006@earthlink.net> <491DC28E.80804@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer wrote:
> Stephen Clark wrote:
>> Stephen Clark wrote:
>
>>>>>>
>>>>>> 10.0.129.1 FreeBSD workstation
>>>>>> ^
>>>>>> |
>>>>>> | ethernet
>>>>>> |
>>>>>> v
>>>>>> 10.0.128.1 Freebsd FW "A"
>>>>>> ^
>>>>>> |
>>>>>> | gre / ipsec
>>>>>> |
>>>>>> v
>>>>>> 192.168.3.1 FreeBSD FW "B"
>>>>>> ^
>>>>>> |
>>>>>> | ethernet
>>>>>> |
>>>>>> v
>>>>>> 192.168.3.86 linux workstation
>>>>>>
>
>>> Also just using gre's without the underlying ipsec tunnels seems to
>>> work properly.
>
>
> This is the crux of the matter.
> IPSEC happens INSIDE the IP stack. The IP stack is responsible for
> the ICMP generation so it is much more likely that there is an
> interaction there.
>
> Now is there an IPSEC rule to make sure that the ICMP packet can get
> back? It could b ehtat in teh IP stack there is some confusion as to
> whether the return packet should be encrypted or not and it might get
> dropped.
>
> the code involved is in /sys/netinet and /sys/netipsec but you'll
> probably regret looking in there ;-)
>
>
>
>>>
>>>
>> Another data point I had been using option FILTER_GIF I tried a kernel
>> without that option and it behaved the same.
>>
>> Steve
>>
>
I agree I put a diag in ip_input.c
if (ip->ip_ttl <= IPTTLDEC) {
icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS,
0, 0);
return;
and sure enough it is calling icmp_error, but I think it can't figure out
how to route the packet back. I been looking at my SPD to see if I can make some
adjustment to the policy that would help.
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?491DC54A.1090907>