FreeBSD 6.3 ipsec and traceroute doesn't work as good as Linux -why?

Stephen Clark sclark46 at earthlink.net
Fri Nov 14 10:30:12 PST 2008


Holger Kipp wrote:
> On Fri, Nov 14, 2008 at 09:31:24AM -0500, Stephen Clark wrote:
> 
> Dear Stephen,
> 
> I don't want to be rude, but looking at your description I don't see
> what's wrong with the behaviour, but it seems you don't understand what
> '* * *' really means.
> 
> How does traceroute work? Well, it sends out a packet with time to live
> (TTL) set to one. on the first hop, this will be reduced by each hop that
> it passes through, and if TTL reaches zero, a time exceeded message will 
> be send back. Then another packet is send with TTL increased by one to 
> identify the next hop and so on.
> 
> If no answer is received, print out a '*' and try again (up to three tries
> by default).
> 
> This process will stop if the last hop replies. It does not stop (or only
> after eg. 30 hops) if the last hop does not reply.
> 
> Why is it that we sometimes do not get a reply? Possible answers:
> - fw-rules block these traceroute packages
> - routing for the answer packet is not set correctly
> - with IP-tunnel, the packet is not routed through the tunnel because 
>   it does not enter the ruleset from an external interface. This might 
>   be true for your firewalls.
> - ...
> 
> So routing and fw-settings are very important here. You might want to
> check that first, before complaining ;-)
> 
> In your setup you have not given both external and internal FW addresses.
> You might not want to have the FW be exposed on its internal interface
> to the remote network, instead you might want to have a transparent tunnel.
> 
> Regards,
> Holger
> 
> 
>>  10.0.129.1 FreeBSD workstation
>>   ^
>>   |
>>   | ethernet
>>   |
>>   v
>> 
internal 10.0.128.1 Freebsd FW "A"
public ip address
>>   ^
>>   |
>>   | ipsec
>>   |
>>   v
public ip address
internal 192.168.2.1 Linux FW "B"
>>   ^
>>   |
>>   | ethernet
>>   |
>>   v
>> 192.168.2.20 linux workstation
>>
>> from 192.168.2.20 Linux<->ipsec<->FreeBSD
>>
>> traceroute -I 10.0.129.1
>> traceroute to 10.0.129.1 (10.0.129.1), 30 hops max, 60 byte packets
>>  1  192.168.2.1 (192.168.2.1)  0.434 ms  0.425 ms  0.423 ms
>>  2  * * *
>>  3  sclark (10.0.129.1)  42.418 ms  42.419 ms  42.727 ms
>>
>> traceroute -I 10.0.128.1
>> traceroute to 10.0.128.1 (10.0.128.1), 30 hops max, 60 byte packets
>>  1  192.168.2.1 (192.168.2.1)  0.398 ms  0.504 ms  0.505 ms
>>  2  10.0.128.1 (10.0.128.1)  36.066 ms  36.052 ms  37.800 ms
>>
>> traceroute 10.0.129.1
>> traceroute to 10.0.129.1 (10.0.129.1), 30 hops max, 60 byte packets
>>  1  192.168.2.1 (192.168.2.1)  0.484 ms  0.464 ms  0.447 ms
>>  2  * * *
>>  3  sclark (10.0.129.1)  41.406 ms  41.391 ms  47.812 ms
>>
>> traceroute 10.0.128.1
>> traceroute to 10.0.128.1 (10.0.128.1), 30 hops max, 60 byte packets
>>  1   (192.168.2.1)  0.473 ms  0.444 ms  0.427 ms
>>  2  * * *
>>  3  * * *
>>  4  * * *
>>  5  * * *
>>  6  * * *
>>  7  * * *
>>  8  * * *
>>  9  * * *
>> 10  * * *
>> 11  * * *
>> 12  * *^C
>>
>>
>>
>> from 10.0.129.1 FreeBSD<->ipsec<->Linux
>> sudo traceroute 192.168.2.20
>> traceroute to 192.168.2.20 (192.168.2.20), 64 hops max, 40 byte packets
>>  1  HQFirewallRS.com (10.0.128.1)  0.761 ms  2.551 ms  4.017 ms
>>  2  * * *
>>  3  192.168.2.20 (192.168.2.20)  19.956 ms  27.425 ms  27.487 ms
>>
>> sclark:~
>> $ sudo traceroute 192.168.2.1
>> traceroute to 192.168.2.1 (192.168.2.1), 64 hops max, 40 byte packets
>>  1  HQFirewallRS.com (10.0.128.1)  8.069 ms  2.952 ms  4.050 ms
>>  2  home (192.168.2.1)  26.338 ms  22.132 ms  24.233 ms
>>
>> sclark:~
>> $ sudo traceroute -I 192.168.2.20
>> traceroute to 192.168.2.20 (192.168.2.20), 64 hops max, 60 byte packets
>>  1  HQFirewallRS.com (10.0.128.1)  0.714 ms  0.806 ms  0.221 ms
>>  2  home (192.168.2.1)  25.260 ms  25.312 ms  25.868 ms
>>  3  192.168.2.20 (192.168.2.20)  36.477 ms  24.828 ms  24.903 ms
>>
>> sclark:~
>> $ sudo traceroute -I 192.168.2.1
>> traceroute to 192.168.2.1 (192.168.2.1), 64 hops max, 60 byte packets
>>  1  HQFirewallRS.com (10.0.128.1)  2.219 ms  1.889 ms  4.491 ms
>>  2  home (192.168.2.1)  26.172 ms  25.706 ms  24.981 ms
>>
>> tracerouteing to Linux never just gives a * * *, * * *, * * *, etc
>>
>> -- 
>>
>> "They that give up essential liberty to obtain temporary safety,
>> deserve neither liberty nor safety."  (Ben Franklin)
>>
>> "The course of history shows that as a government grows, liberty
>> decreases."  (Thomas Jefferson)
>>
>>
>>
>> _______________________________________________
>> freebsd-stable at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
> 

Hi Holger,

Thanks for the reply. During my test I had the firewalls on all system disabled,

The problem is the FreeBSD FW does not respond correctly even if I use the -I 
option on traceroute which uses ICMP packets instead of UDP packets.

And I agree it looks to be some kind of routing problem - I put a diag in the
freebsd kernel ip_input.c
		if (ip->ip_ttl <= IPTTLDEC) {
			icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS,
			    0, 0);
			return;
to make sure it was calling icmp_error - it was. I have complementary setups
on both the FreeBSD and Linux sides. It just seems that Linux handles things
better than FreeBSD.
EG when tracerouting from Linux to internal address on FreeBSD FW:
  >> traceroute 10.0.128.1
 >> traceroute to 10.0.128.1 (10.0.128.1), 30 hops max, 60 byte packets
 >>  1   (192.168.2.1)  0.473 ms  0.444 ms  0.427 ms
 >>  2  * * *
 >>  3  * * *
 >>  4  * * *
 >>  5  * * *
 >>  6  * * *
 >>  7  * * *
 >>  8  * * *
 >>  9  * * *
 >> 10  * * *
 >> 11  * * *
 >> 12  * *^C

But when tracerouting from FreeBSD to internal address on Linux FW.
  sudo traceroute 192.168.2.1
 >> traceroute to 192.168.2.1 (192.168.2.1), 64 hops max, 40 byte packets
 >>  1  HQFirewallRS.com (10.0.128.1)  8.069 ms  2.952 ms  4.050 ms
 >>  2  home (192.168.2.1)  26.338 ms  22.132 ms  24.233 ms

Much more meaningful results!



More information about the freebsd-stable mailing list