ICMP Error transmission/response over IPSec tunnels

[Tom Judge]

Bjoern A. Zeeb wrote:
> On Tue, 27 May 2008, Tom Judge wrote:
> 
> Hi,
> 
>> Yes we do indeed see a reply from node b.  It is good to here that 
>> this is a known issue.
>>
>> The IPSec configuration is a gif ipip tunnel that is then encrypted 
>> with IPSec using esp in tunnel mode as per the ipsec vpn section in 
>> the handbook.
> 
> 1) if you do not need the ipip tunnel because you need an interface
> and "link state changes" only go with the IPsec tunnel mode.
> 
> 2) If you need the gi tunnel on top and routing, use IPsec transport
> mode.
> 
> (ignore the handbook, try to understand it;)

I have 13 nodes in a parital mesh running ospf for routing.  It would 
not be trivial for me to switch from tunnel to transport mode.  Also I 
have not tested quagga in when the ipsec is in transport mode, and I 
guess I do need interfaces to use with quagga.  I may test fixing this 
additional overhead,  but as they say if it's not broken don't fix it.

> 
>> Do you have any more information on the underlying source of the 
>> problem?  If so it would help me find the problem.  I may setup a 
>> small test network to find this problem this evening time permitting.
> 
> a test network is not a problem. time is.
> 
> 

Please understand that I was not asking for you to fix this problem just 
for some pointers into where to start looking.  The reason I ask is that 
you seem to know in what region that the error exists and it would be 
helpful to me if you could tell me so that I could try to find a 
solution to the problem myself.  At a guess the code that I need to look 
as it in icmp_error() or further down the icmp transmit path (maybe 
icmp_reflect or further?).


Thanks again.

Tom