From owner-freebsd-net@FreeBSD.ORG Tue May 27 20:35:56 2008 Return-Path: Delivered-To: net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A6389106566B for ; Tue, 27 May 2008 20:35:56 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from s200aog16.obsmtp.com (s200aog16.obsmtp.com [207.126.144.130]) by mx1.freebsd.org (Postfix) with SMTP id 0F50F8FC20 for ; Tue, 27 May 2008 20:35:54 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from source ([63.174.175.251]) by eu1sys200aob016.postini.com ([207.126.147.11]) with SMTP; Tue, 27 May 2008 20:35:52 UTC Received: from [172.17.2.235] (unknown [172.17.2.235]) by bbbx3.usdmm.com (Postfix) with ESMTP id BA9F8FD019; Tue, 27 May 2008 20:35:52 +0000 (UTC) Message-ID: <483C70A9.2060500@tomjudge.com> Date: Tue, 27 May 2008 15:35:53 -0500 From: Tom Judge User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <483C51EE.7040700@tomjudge.com> <20080527201331.L65662@maildrop.int.zabbadoz.net> In-Reply-To: <20080527201331.L65662@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: net@FreeBSD.org Subject: Re: ICMP Error transmission/response over IPSec tunnels X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2008 20:35:56 -0000 Bjoern A. Zeeb wrote: > On Tue, 27 May 2008, Tom Judge wrote: > > Hi, > >> Today I looked into why I can not get a traceroute across a IPSec IPIP >> tunnel > > I guess not an IPIP tunnel but just IPsec tunnel mode? > > ... >> Any information about this would be appreciated as I would like to be >> able to do traceroutes across my wan. > > The problem has been well known and is on my todo list. I haven't > checked the relevant code lately but if I remember the problem is not > to be fixed trivially in first place. > > You should get a reply back from your Node B though, just not from > Router B. > > > /bz > Hi Bjoern, Yes we do indeed see a reply from node b. It is good to here that this is a known issue. The IPSec configuration is a gif ipip tunnel that is then encrypted with IPSec using esp in tunnel mode as per the ipsec vpn section in the handbook. Do you have any more information on the underlying source of the problem? If so it would help me find the problem. I may setup a small test network to find this problem this evening time permitting. Thanks Tom PS. Could you pm me a link to your RELENG_7 multi ip jail patchs?