FreeBSD 6.3 ipsec and traceroute doesn't work as good as Linux -why?

Holger Kipp hk at alogis.com
Fri Nov 14 08:49:44 PST 2008 

On Fri, Nov 14, 2008 at 09:31:24AM -0500, Stephen Clark wrote:

Dear Stephen,

I don't want to be rude, but looking at your description I don't see
what's wrong with the behaviour, but it seems you don't understand what
'* * *' really means.

How does traceroute work? Well, it sends out a packet with time to live
(TTL) set to one. on the first hop, this will be reduced by each hop that
it passes through, and if TTL reaches zero, a time exceeded message will 
be send back. Then another packet is send with TTL increased by one to 
identify the next hop and so on.

If no answer is received, print out a '*' and try again (up to three tries
by default).

This process will stop if the last hop replies. It does not stop (or only
after eg. 30 hops) if the last hop does not reply.

Why is it that we sometimes do not get a reply? Possible answers:
- fw-rules block these traceroute packages
- routing for the answer packet is not set correctly
- with IP-tunnel, the packet is not routed through the tunnel because 
  it does not enter the ruleset from an external interface. This might 
  be true for your firewalls.
- ...

So routing and fw-settings are very important here. You might want to
check that first, before complaining ;-)

In your setup you have not given both external and internal FW addresses.
You might not want to have the FW be exposed on its internal interface
to the remote network, instead you might want to have a transparent tunnel.

Regards,
Holger


>  10.0.129.1 FreeBSD workstation
>   ^
>   |
>   | ethernet
>   |
>   v
>  10.0.128.1 Freebsd FW "A"
>   ^
>   |
>   | ipsec
>   |
>   v
>  192.168.2.1 Linux FW "B"
>   ^
>   |
>   | ethernet
>   |
>   v
> 192.168.2.20 linux workstation
> 
> from 192.168.2.20 Linux<->ipsec<->FreeBSD
> 
> traceroute -I 10.0.129.1
> traceroute to 10.0.129.1 (10.0.129.1), 30 hops max, 60 byte packets
>  1  192.168.2.1 (192.168.2.1)  0.434 ms  0.425 ms  0.423 ms
>  2  * * *
>  3  sclark (10.0.129.1)  42.418 ms  42.419 ms  42.727 ms
> 
> traceroute -I 10.0.128.1
> traceroute to 10.0.128.1 (10.0.128.1), 30 hops max, 60 byte packets
>  1  192.168.2.1 (192.168.2.1)  0.398 ms  0.504 ms  0.505 ms
>  2  10.0.128.1 (10.0.128.1)  36.066 ms  36.052 ms  37.800 ms
> 
> traceroute 10.0.129.1
> traceroute to 10.0.129.1 (10.0.129.1), 30 hops max, 60 byte packets
>  1  192.168.2.1 (192.168.2.1)  0.484 ms  0.464 ms  0.447 ms
>  2  * * *
>  3  sclark (10.0.129.1)  41.406 ms  41.391 ms  47.812 ms
> 
> traceroute 10.0.128.1
> traceroute to 10.0.128.1 (10.0.128.1), 30 hops max, 60 byte packets
>  1   (192.168.2.1)  0.473 ms  0.444 ms  0.427 ms
>  2  * * *
>  3  * * *
>  4  * * *
>  5  * * *
>  6  * * *
>  7  * * *
>  8  * * *
>  9  * * *
> 10  * * *
> 11  * * *
> 12  * *^C
> 
> 
> 
> from 10.0.129.1 FreeBSD<->ipsec<->Linux
> sudo traceroute 192.168.2.20
> traceroute to 192.168.2.20 (192.168.2.20), 64 hops max, 40 byte packets
>  1  HQFirewallRS.com (10.0.128.1)  0.761 ms  2.551 ms  4.017 ms
>  2  * * *
>  3  192.168.2.20 (192.168.2.20)  19.956 ms  27.425 ms  27.487 ms
> 
> sclark:~
> $ sudo traceroute 192.168.2.1
> traceroute to 192.168.2.1 (192.168.2.1), 64 hops max, 40 byte packets
>  1  HQFirewallRS.com (10.0.128.1)  8.069 ms  2.952 ms  4.050 ms
>  2  home (192.168.2.1)  26.338 ms  22.132 ms  24.233 ms
> 
> sclark:~
> $ sudo traceroute -I 192.168.2.20
> traceroute to 192.168.2.20 (192.168.2.20), 64 hops max, 60 byte packets
>  1  HQFirewallRS.com (10.0.128.1)  0.714 ms  0.806 ms  0.221 ms
>  2  home (192.168.2.1)  25.260 ms  25.312 ms  25.868 ms
>  3  192.168.2.20 (192.168.2.20)  36.477 ms  24.828 ms  24.903 ms
> 
> sclark:~
> $ sudo traceroute -I 192.168.2.1
> traceroute to 192.168.2.1 (192.168.2.1), 64 hops max, 60 byte packets
>  1  HQFirewallRS.com (10.0.128.1)  2.219 ms  1.889 ms  4.491 ms
>  2  home (192.168.2.1)  26.172 ms  25.706 ms  24.981 ms
> 
> tracerouteing to Linux never just gives a * * *, * * *, * * *, etc
> 
> -- 
> 
> "They that give up essential liberty to obtain temporary safety,
> deserve neither liberty nor safety."  (Ben Franklin)
> 
> "The course of history shows that as a government grows, liberty
> decreases."  (Thomas Jefferson)
> 
> 
> 
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"

More information about the freebsd-stable mailing list