Date: Tue, 27 May 2008 13:24:46 -0500 From: Tom Judge <tom@tomjudge.com> To: net@FreeBSD.org Subject: ICMP Error transmission/response over IPSec tunnels Message-ID: <483C51EE.7040700@tomjudge.com>
next in thread | raw e-mail | index | archive | help
Hi, Today I looked into why I can not get a traceroute across a IPSec IPIP tunnel an came across an interesting piece of code. Here is a diagram of the setup: [Node A] <-> [Router A] <-{IPSec}-> [Router B] <-> [Node B] If I traceroute from node A to node B I never see the ICMP packet for the TTL exceeded generated by router b. So I did a little digging and found and interesting revision of sys/netinet/ip_icmp.c. In revision 1.93 it seems ume@ added a check for the flag M_DECRYPTED in icmp_error() and if it was set do not generate the icmp error message. So my questions are: 1) Is this check really required? 2) If it is required what makes it required? Is it a problem in the icmp transmit path, or is there some other reason? 3) It seems the check originated from the KAME project, as FreeBSD no longer uses the KAME IPSec implementation is check still required? I found the same check in the netbsd code, but could not find a similar check in openbsd (although the openbsd ipsec implementation is some what different from netbsd and freebsd). Any information about this would be appreciated as I would like to be able to do traceroutes across my wan. Thanks Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?483C51EE.7040700>