From owner-freebsd-stable@FreeBSD.ORG Fri Nov 14 16:49:44 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91B101065673 for ; Fri, 14 Nov 2008 16:49:44 +0000 (UTC) (envelope-from hk@alogis.com) Received: from alogis.com (firewall.solit-ag.de [212.184.102.1]) by mx1.freebsd.org (Postfix) with ESMTP id D2CB08FC1C for ; Fri, 14 Nov 2008 16:49:43 +0000 (UTC) (envelope-from hk@alogis.com) Received: from alogis.com (localhost [127.0.0.1]) by alogis.com (8.13.4/8.13.1) with ESMTP id mAEGaJJx012065; Fri, 14 Nov 2008 17:36:19 +0100 (CET) (envelope-from hk@alogis.com) Received: (from hk@localhost) by alogis.com (8.13.4/8.13.1/Submit) id mAEGaIuD012064; Fri, 14 Nov 2008 17:36:18 +0100 (CET) (envelope-from hk) Date: Fri, 14 Nov 2008 17:36:18 +0100 From: Holger Kipp To: Stephen Clark Message-ID: <20081114163618.GA10409@intserv.int1.b.intern> References: <491B2703.4080707@earthlink.net> <491B31F7.30200@elischer.org> <491B4345.80106@earthlink.net> <491B47D2.6010804@elischer.org> <491C2235.4090509@earthlink.net> <1226589468.1976.12.camel@wombat.2hip.net> <491C4EC2.2000802@earthlink.net> <491D6CED.50006@earthlink.net> <491D8BBC.8090201@earthlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <491D8BBC.8090201@earthlink.net> User-Agent: Mutt/1.4.2.1i Cc: FreeBSD Stable Subject: Re: FreeBSD 6.3 ipsec and traceroute doesn't work as good as Linux -why? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2008 16:49:44 -0000 On Fri, Nov 14, 2008 at 09:31:24AM -0500, Stephen Clark wrote: Dear Stephen, I don't want to be rude, but looking at your description I don't see what's wrong with the behaviour, but it seems you don't understand what '* * *' really means. How does traceroute work? Well, it sends out a packet with time to live (TTL) set to one. on the first hop, this will be reduced by each hop that it passes through, and if TTL reaches zero, a time exceeded message will be send back. Then another packet is send with TTL increased by one to identify the next hop and so on. If no answer is received, print out a '*' and try again (up to three tries by default). This process will stop if the last hop replies. It does not stop (or only after eg. 30 hops) if the last hop does not reply. Why is it that we sometimes do not get a reply? Possible answers: - fw-rules block these traceroute packages - routing for the answer packet is not set correctly - with IP-tunnel, the packet is not routed through the tunnel because it does not enter the ruleset from an external interface. This might be true for your firewalls. - ... So routing and fw-settings are very important here. You might want to check that first, before complaining ;-) In your setup you have not given both external and internal FW addresses. You might not want to have the FW be exposed on its internal interface to the remote network, instead you might want to have a transparent tunnel. Regards, Holger > 10.0.129.1 FreeBSD workstation > ^ > | > | ethernet > | > v > 10.0.128.1 Freebsd FW "A" > ^ > | > | ipsec > | > v > 192.168.2.1 Linux FW "B" > ^ > | > | ethernet > | > v > 192.168.2.20 linux workstation > > from 192.168.2.20 Linux<->ipsec<->FreeBSD > > traceroute -I 10.0.129.1 > traceroute to 10.0.129.1 (10.0.129.1), 30 hops max, 60 byte packets > 1 192.168.2.1 (192.168.2.1) 0.434 ms 0.425 ms 0.423 ms > 2 * * * > 3 sclark (10.0.129.1) 42.418 ms 42.419 ms 42.727 ms > > traceroute -I 10.0.128.1 > traceroute to 10.0.128.1 (10.0.128.1), 30 hops max, 60 byte packets > 1 192.168.2.1 (192.168.2.1) 0.398 ms 0.504 ms 0.505 ms > 2 10.0.128.1 (10.0.128.1) 36.066 ms 36.052 ms 37.800 ms > > traceroute 10.0.129.1 > traceroute to 10.0.129.1 (10.0.129.1), 30 hops max, 60 byte packets > 1 192.168.2.1 (192.168.2.1) 0.484 ms 0.464 ms 0.447 ms > 2 * * * > 3 sclark (10.0.129.1) 41.406 ms 41.391 ms 47.812 ms > > traceroute 10.0.128.1 > traceroute to 10.0.128.1 (10.0.128.1), 30 hops max, 60 byte packets > 1 (192.168.2.1) 0.473 ms 0.444 ms 0.427 ms > 2 * * * > 3 * * * > 4 * * * > 5 * * * > 6 * * * > 7 * * * > 8 * * * > 9 * * * > 10 * * * > 11 * * * > 12 * *^C > > > > from 10.0.129.1 FreeBSD<->ipsec<->Linux > sudo traceroute 192.168.2.20 > traceroute to 192.168.2.20 (192.168.2.20), 64 hops max, 40 byte packets > 1 HQFirewallRS.com (10.0.128.1) 0.761 ms 2.551 ms 4.017 ms > 2 * * * > 3 192.168.2.20 (192.168.2.20) 19.956 ms 27.425 ms 27.487 ms > > sclark:~ > $ sudo traceroute 192.168.2.1 > traceroute to 192.168.2.1 (192.168.2.1), 64 hops max, 40 byte packets > 1 HQFirewallRS.com (10.0.128.1) 8.069 ms 2.952 ms 4.050 ms > 2 home (192.168.2.1) 26.338 ms 22.132 ms 24.233 ms > > sclark:~ > $ sudo traceroute -I 192.168.2.20 > traceroute to 192.168.2.20 (192.168.2.20), 64 hops max, 60 byte packets > 1 HQFirewallRS.com (10.0.128.1) 0.714 ms 0.806 ms 0.221 ms > 2 home (192.168.2.1) 25.260 ms 25.312 ms 25.868 ms > 3 192.168.2.20 (192.168.2.20) 36.477 ms 24.828 ms 24.903 ms > > sclark:~ > $ sudo traceroute -I 192.168.2.1 > traceroute to 192.168.2.1 (192.168.2.1), 64 hops max, 60 byte packets > 1 HQFirewallRS.com (10.0.128.1) 2.219 ms 1.889 ms 4.491 ms > 2 home (192.168.2.1) 26.172 ms 25.706 ms 24.981 ms > > tracerouteing to Linux never just gives a * * *, * * *, * * *, etc > > -- > > "They that give up essential liberty to obtain temporary safety, > deserve neither liberty nor safety." (Ben Franklin) > > "The course of history shows that as a government grows, liberty > decreases." (Thomas Jefferson) > > > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"