Date: Thu, 16 Sep 2010 18:00:53 +0400 From: Vladimir Grigorov <vl.varlog@gmail.com> To: freebsd-net@freebsd.org Subject: Strange FreeBSD behavior when trying to forward beetween ipsec crypted gif's. May be a problem with ICMP unreach packets at all Message-ID: <273436110.20100916180053@gmail.com>
next in thread | raw e-mail | index | archive | help
Greetings all.
I have strange problems related to passage icmp need-frag packets, and, as =
result, all packets with packets length greater than output gif MTU.
Network diagram:
[HostA] -- (mtu 1500) --- [FW1] --- ipsec gif mtu 1280 <-gif1 -- [FW2] - gi=
f0 -> ipsec gif mtu 6100 - [FW3] -(mtu 1500) - [HostB]
All FW's - Freebsd hosts
HostA - freebsd host
HostB - Cisco 3750e switch in L3 mode
HostA can reach HostB and vice versa. Ping with length above 1280 works fin=
e (pmtu =3D 1280). Ping with len=3D1281 without df bit also work fine. But =
ping with mtu 1281 fails.=20
Question: Why FW2 does not send ICMP need-fragment-but-DF-set message to Ho=
stB ?=20
I try to permit icmp from all interfaces on FW2, explicit send unreachable =
packet for all ip packets from defined source ip - nothing happens. I see i=
ncreased packets counts related my source ip, but cant see responce icmps w=
ith unreachable code
uname -a
FreeBSD fw2-mru.astrum-nival.com 8.0-RELEASE-p3 FreeBSD 8.0-RELEASE-p3 #3: =
Thu Jul 1 18:24:35 MSD 2010 root@fw2-mru.astrum-nival.com:/usr/obj/usr=
/src/sys/gw amd64
ifconfig gif0
gif0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 6100
tunnel inet 217.69.143.28 --> 217.69.143.57
inet 10.192.224.5 --> 10.192.224.6 netmask 0xfffffffc=20
options=3D1<ACCEPT_REV_ETHIP_VER>
ifconfig gif1
gif1: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 217.69.143.28 --> 88.212.205.166
inet 10.160.192.6 --> 10.160.192.5 netmask 0xfffffffc=20
options=3D1<ACCEPT_REV_ETHIP_VER>
netstat -nr | grep 192.168.224
192.168.224.0/22 10.192.224.6 UG1 0 36031303 gif0
netstat -nr | grep 192.168.160.
192.168.160.0/24 10.160.192.5 UG1 0 10969867 gif1
# ipfw show
00006 10 6505 allow icmp from any to 192.168.225.1 via=
gif0
00100 10524445 1225052712 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00305 2054 433651 allow icmp from any to any via gif0 icmp=
types 3,11
00306 0 0 allow icmp from any to 192.168.225.1 via=
gif0
00310 6960 575159 nat 220 ip from table(10) to any via vla=
n220
00315 1198 70832 deny ip from not me to 192.168.66.0/23 o=
ut xmit vlan220
00320 6512 1611912 nat 220 ip from 192.168.66.0/23 to 192.1=
68.13.199 in recv vlan220
00400 114560294 8963623578 nat 123 ip from 192.168.196.0/24 to any =
out via vlan506
00402 36831424 2199804860 nat 123 ip from 192.168.193.0/24 to any =
out via vlan506
00403 153380 9265905 nat 123 ip from 192.168.197.0/24 to any =
out via vlan506
00500 0 0 nat 123 ip from any to 195.211.130.9 in =
via vlan506
00501 147593882 174870597871 nat 123 ip from any to 195.211.130.9 in =
via vlan500
01100 0 0 allow tcp from table(21) to table(23) ds=
t-port 29000
01110 0 0 deny tcp from table(22) to table(23) dst=
-port 29000
01120 3 144 deny tcp from table(20) to table(23) dst=
-port 29000
65530 589120438508 133855063718386 allow ip from any to any
65535 0 0 deny ip from any to any
try to ping from cisco:
c3750e.gldn#ping 192.168.160.248 source 192.168.225.1 repea 5 size 1281 df
Type escape sequence to abort.
Sending 5, 1281-byte ICMP Echos to 192.168.160.248, timeout is 2 seconds:
Packet sent with a source address of 192.168.225.1=20
Packet sent with the DF bit set
.....
Success rate is 0 percent (0/5)
tcpdump on gif0 (large mtu before small mtu gif)
[root@fw2-mru ~]# tcpdump -i gif0 -vvv -n host 192.168.225.1=20
tcpdump: listening on gif0, link-type NULL (BSD loopback), capture size 96 =
bytes
17:55:54.006210 IP (tos 0x0, ttl 254, id 805, offset 0, flags [DF], proto I=
CMP (1), length 1281)
192.168.225.1 > 192.168.160.248: ICMP echo request, id 161, seq 0, leng=
th 1261
17:55:56.013039 IP (tos 0x0, ttl 254, id 806, offset 0, flags [DF], proto I=
CMP (1), length 1281)
192.168.225.1 > 192.168.160.248: ICMP echo request, id 161, seq 1, leng=
th 1261
17:55:58.015870 IP (tos 0x0, ttl 254, id 807, offset 0, flags [DF], proto I=
CMP (1), length 1281)
192.168.225.1 > 192.168.160.248: ICMP echo request, id 161, seq 2, leng=
th 1261
17:56:00.020833 IP (tos 0x0, ttl 254, id 808, offset 0, flags [DF], proto I=
CMP (1), length 1281)
192.168.225.1 > 192.168.160.248: ICMP echo request, id 161, seq 3, leng=
th 1261
17:56:02.027756 IP (tos 0x0, ttl 254, id 809, offset 0, flags [DF], proto I=
CMP (1), length 1281)
192.168.225.1 > 192.168.160.248: ICMP echo request, id 161, seq 4, leng=
th 1261
^C
5 packets captured
99753 packets received by filter
0 packets dropped by kernel
tcpdump on gif1 (small mtu on route to destination)
(nothing)
but if i omit df on cisco:
[root@fw2-mru ~]# tcpdump -i gif1 -vvv -n host 192.168.225.1=20
tcpdump: listening on gif1, link-type NULL (BSD loopback), capture size 96 =
bytes
17:59:03.083053 IP (tos 0x0, ttl 253, id 815, offset 0, flags [+], proto IC=
MP (1), length 1276)
192.168.225.1 > 192.168.160.248: ICMP echo request, id 163, seq 0, leng=
th 1256
17:59:03.083147 IP (tos 0x0, ttl 253, id 815, offset 1256, flags [none], pr=
oto ICMP (1), length 25)
192.168.225.1 > 192.168.160.248: icmp
17:59:03.090882 IP (tos 0x0, ttl 253, id 816, offset 0, flags [+], proto IC=
MP (1), length 1276)
192.168.225.1 > 192.168.160.248: ICMP echo request, id 163, seq 1, leng=
th 1256
17:59:03.090976 IP (tos 0x0, ttl 253, id 816, offset 1256, flags [none], pr=
oto ICMP (1), length 25)
192.168.225.1 > 192.168.160.248: icmp
17:59:03.097254 IP (tos 0x0, ttl 253, id 817, offset 0, flags [+], proto IC=
MP (1), length 1276)
192.168.225.1 > 192.168.160.248: ICMP echo request, id 163, seq 2, leng=
th 1256
17:59:03.097346 IP (tos 0x0, ttl 253, id 817, offset 1256, flags [none], pr=
oto ICMP (1), length 25)
192.168.225.1 > 192.168.160.248: icmp
17:59:03.105749 IP (tos 0x0, ttl 253, id 818, offset 0, flags [+], proto IC=
MP (1), length 1276)
192.168.225.1 > 192.168.160.248: ICMP echo request, id 163, seq 3, leng=
th 1256
17:59:03.105844 IP (tos 0x0, ttl 253, id 818, offset 1256, flags [none], pr=
oto ICMP (1), length 25)
192.168.225.1 > 192.168.160.248: icmp
17:59:03.115617 IP (tos 0x0, ttl 253, id 819, offset 0, flags [+], proto IC=
MP (1), length 1276)
192.168.225.1 > 192.168.160.248: ICMP echo request, id 163, seq 4, leng=
th 1256
17:59:03.115707 IP (tos 0x0, ttl 253, id 819, offset 1256, flags [none], pr=
oto ICMP (1), length 25)
192.168.225.1 > 192.168.160.248: icmp
e.g. destination reachable, fragmentation work, routes symmetrical.
any comments ?
--=20
=D1 =F3=E2=E0=E6=E5=ED=E8=E5=EC,
Vladimir mailto:vl.varlog@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?273436110.20100916180053>