FreeBSD 6.3 gre and traceroute

Robert Noland rnoland at FreeBSD.org
Fri Nov 14 10:57:28 PST 2008


On Fri, 2008-11-14 at 10:25 -0800, Julian Elischer wrote:
> Stephen Clark wrote:
> > Stephen Clark wrote:
> 
> >>>>>
> >>>>> 10.0.129.1 FreeBSD workstation
> >>>>>  ^
> >>>>>  |
> >>>>>  | ethernet
> >>>>>  |
> >>>>>  v
> >>>>> 10.0.128.1 Freebsd FW "A"
> >>>>>  ^
> >>>>>  |
> >>>>>  | gre / ipsec
> >>>>>  |
> >>>>>  v
> >>>>> 192.168.3.1 FreeBSD FW "B"
> >>>>>  ^
> >>>>>  |
> >>>>>  | ethernet
> >>>>>  |
> >>>>>  v
> >>>>> 192.168.3.86 linux workstation
> >>>>>
> 
> >> Also just using gre's without the 
> >> underlying ipsec tunnels seems to
> >> work properly.
> 
> 
> This is the crux of the matter.
> IPSEC happens INSIDE the IP stack. The IP stack is responsible for
> the ICMP generation so it is much more likely that there is an 
> interaction there.
> 
> Now is there an IPSEC rule to make sure that the ICMP packet can get 
> back?  It could b ehtat in teh IP stack there is some confusion as to 
> whether the return packet should be encrypted or not and it might get 
> dropped.
> 
> the code involved is in /sys/netinet and /sys/netipsec but you'll
> probably regret looking in there ;-)

Right, I don't really know the IPSEC code, but I was told by someone who
is familiar with it that this is a known problem and that the use of GRE
is not relevant.  Hopefully he will have a moment to respond to this
thread with a bit more detail.

robert.

> 
> 
> >>
> >>
> > Another data point I had been using option FILTER_GIF I tried a kernel
> > without that option and it behaved the same.
> > 
> > Steve
> > 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20081114/b5b5f0f7/attachment.pgp


More information about the freebsd-stable mailing list