Julian Elischer wrote:
Stephen Clark wrote:
Stephen Clark wrote:
10.0.129.1 FreeBSD workstation
^
|
| ethernet
|
v
10.0.128.1 Freebsd FW "A"
^
|
| gre / ipsec
|
v
192.168.3.1 FreeBSD FW "B"
^
|
| ethernet
|
v
192.168.3.86 linux workstation
Also just using gre's without the underlying ipsec tunnels seems to
work properly.
This is the crux of the matter.
IPSEC happens INSIDE the IP stack. The IP stack is responsible for
the ICMP generation so it is much more likely that there is an
interaction there.
Now is there an IPSEC rule to make sure that the ICMP packet can get
back? It could b ehtat in teh IP stack there is some confusion as to
whether the return packet should be encrypted or not and it might get
dropped.
the code involved is in /sys/netinet and /sys/netipsec but you'll
probably regret looking in there ;-)
Another data point I had been using option FILTER_GIF I tried a kernel
without that option and it behaved the same.
Steve
I agree I put a diag in ip_input.c
if (ip->ip_ttl <= IPTTLDEC) {
icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS,
0, 0);
return;
and sure enough it is calling icmp_error, but I think it can't figure out
how to route the packet back. I been looking at my SPD to see if I can make some
adjustment to the policy that would help.
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
