ICMP Error transmission/response over IPSec tunnels
Tom Judge
tom at tomjudge.com
Tue May 27 21:08:43 UTC 2008
Bjoern A. Zeeb wrote:
> On Tue, 27 May 2008, Tom Judge wrote:
>
> Hi,
>
>> Yes we do indeed see a reply from node b. It is good to here that
>> this is a known issue.
>>
>> The IPSec configuration is a gif ipip tunnel that is then encrypted
>> with IPSec using esp in tunnel mode as per the ipsec vpn section in
>> the handbook.
>
> 1) if you do not need the ipip tunnel because you need an interface
> and "link state changes" only go with the IPsec tunnel mode.
>
> 2) If you need the gi tunnel on top and routing, use IPsec transport
> mode.
>
> (ignore the handbook, try to understand it;)
I have 13 nodes in a parital mesh running ospf for routing. It would
not be trivial for me to switch from tunnel to transport mode. Also I
have not tested quagga in when the ipsec is in transport mode, and I
guess I do need interfaces to use with quagga. I may test fixing this
additional overhead, but as they say if it's not broken don't fix it.
>
>> Do you have any more information on the underlying source of the
>> problem? If so it would help me find the problem. I may setup a
>> small test network to find this problem this evening time permitting.
>
> a test network is not a problem. time is.
>
>
Please understand that I was not asking for you to fix this problem just
for some pointers into where to start looking. The reason I ask is that
you seem to know in what region that the error exists and it would be
helpful to me if you could tell me so that I could try to find a
solution to the problem myself. At a guess the code that I need to look
as it in icmp_error() or further down the icmp transmit path (maybe
icmp_reflect or further?).
Thanks again.
Tom
More information about the freebsd-net
mailing list