Date: Thu, 13 Nov 2008 10:17:48 -0500 From: Robert Noland <rnoland@FreeBSD.org> To: sclark46@earthlink.net Cc: freebsd-net@freebsd.org, Julian Elischer <julian@elischer.org> Subject: Re: FreeBSD 6.3 gre and traceroute Message-ID: <1226589468.1976.12.camel@wombat.2hip.net> In-Reply-To: <491C2235.4090509@earthlink.net> References: <491B2703.4080707@earthlink.net> <491B31F7.30200@elischer.org> <491B4345.80106@earthlink.net> <491B47D2.6010804@elischer.org> <491C2235.4090509@earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-oqrMt4NQs0se7ZPtGUVB Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2008-11-13 at 07:48 -0500, Stephen Clark wrote: > Julian Elischer wrote: > > Stephen Clark wrote: > >> Julian Elischer wrote: > >=20 > >>> you will need to define the setup and question better. > >=20 > > thanks.. cleaning it up a bit more... > >=20 > > 10.0.129.1 FreeBSD workstation > > ^ > > | > > | ethernet > > | > > v > > 10.0.128.1 Freebsd FW "A" > > ^ > > | > > | gre / ipsec > > | > > v > > 192.168.3.1 FreeBSD FW "B" > > ^ > > | > > | ethernet > > | > > v > > 192.168.3.86 linux workstation > >=20 > >> $ sudo traceroute 192.168.3.86 > >> traceroute to 192.168.3.86 (192.168.3.86), 64 hops max, 40 byte packet= s > >> 1 HQFirewallRS.com (10.0.128.1) 0.575 ms 0.423 ms 0.173 ms > >> 2 * * * > >> 3 192.168.3.86 (192.168.3.86) 47.972 ms 45.174 ms 49.968 ms > >> > >> No response from the FreeBSD "B" box. > >> > >> When I do a tcpdump on "B" of the gre interface I see UDP packets > >> with a TTL of 1 but no ICMP response packets being sent back. > >=20 > >> > >> If I do the traceroute from the linux workstation 192.168.3.86 I get > >> similar results - I don't see a response from the FreeBSD "A" box. > >=20 > > could you try using just GRE encasulation? > > (i.e. turn off IPSEC for now) > >=20 > > I think that is much more likely to be where the problem is.. > >=20 > >=20 > I'll have to set this up to test it. The ttl exceeded is triggered from one of two places. Either netinet/ip_fastfwd.c if fast_forwarding is enabled or in netinet/ip_input.c. Look for the code relating to IPTTLDEC. This isn't your problem though... If ttl were not being decremented, the packet would just be forwarded on to the next hop (IP_STEALTH), which would just make the firewalls invisible. The fact that you are seeing * * * indicates that you are not receiving the ttl exceeded message for the packet sent with that particular ttl. I still think that the issue you are seeing is that one way or another the generated ICMP response isn't making it back onto the tunnel. Either via security policy, firewall or routing. robert. > What code in the FreeBSD kernel is responsible for generating the respons= e ICMP=20 > dest unreachable message? >=20 --=-oqrMt4NQs0se7ZPtGUVB Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEABECAAYFAkkcRRwACgkQM4TrQ4qfROMI2ACdHE8Aj5kP7FihhhkWLqZ/UCcy QpMAniijaIpVOjoRmzwEt3uUE9jmoZV3 =maqq -----END PGP SIGNATURE----- --=-oqrMt4NQs0se7ZPtGUVB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1226589468.1976.12.camel>