ICMP Error transmission/response over IPSec tunnels
Tom Judge
tom at tomjudge.com
Tue May 27 18:40:21 UTC 2008
Hi,
Today I looked into why I can not get a traceroute across a IPSec IPIP
tunnel an came across an interesting piece of code. Here is a diagram
of the setup:
[Node A] <-> [Router A] <-{IPSec}-> [Router B] <-> [Node B]
If I traceroute from node A to node B I never see the ICMP packet for
the TTL exceeded generated by router b.
So I did a little digging and found and interesting revision of
sys/netinet/ip_icmp.c. In revision 1.93 it seems ume@ added a check for
the flag M_DECRYPTED in icmp_error() and if it was set do not generate
the icmp error message.
So my questions are:
1) Is this check really required?
2) If it is required what makes it required? Is it a problem in the
icmp transmit path, or is there some other reason?
3) It seems the check originated from the KAME project, as FreeBSD no
longer uses the KAME IPSec implementation is check still required?
I found the same check in the netbsd code, but could not find a similar
check in openbsd (although the openbsd ipsec implementation is some what
different from netbsd and freebsd).
Any information about this would be appreciated as I would like to be
able to do traceroutes across my wan.
Thanks
Tom
More information about the freebsd-net
mailing list