The short answer is no, not over IPSec. You could change your IPSec filter to only match for TCP traffic, but that's not be a feasible solution if you need to IPSec protect ALL traffic.
Without IPSec in the picture, traceroute works by sending a UDP packet from 128.164.144.144 to 128.164.159.159 with an ephemeral port for source and dest. It sets the TTL to 1 and sends the packet out. The first hop (your gateway) gets the packet and responds with the ICMP time exceeded message. The ICMP message contains the original UDP packet. Your source gets the packet and passes it to traceroute. Traceroute finds the original src and dest ports and makes sure that they match the packet he sent out before he posts the gateway IP and round trip time to the screen. With IPSec in the picture, things change. When traceroute sends the UDP packet out, the ESP header is inserted after the IP header, and the protocol is changed from 17 (UDP) to 50 (ESP). When the gateway gets the packet, it responds with the ICMP message. But this time when your source gets it, traceroute tries to compare the original src/dest ports with the incoming src/dest ports and they don't match (because it's not accounting for this ESP header... and the UDP packet is likely encrypted anyway). He tosses the packet and continues to wait until the timeout is hit. Every hop between your src and dest will fail this way. You will finally receive good data when we get to your destination because his stack undoes the IPSec stuff and the stack processes the original UDP packet. This time when the stack sends back the ICMP message "Port Unreachable", the src/dest ports will match with what traceroute expects and you get the expected output. Hope that helps, Grant Jason Mader-3 wrote: > > I've got really simple transport mode IPSec setup between two hosts: > > [ipsec.conf] > ike ah transport from 128.164.144.144 to 128.164.159.159 main auth > hmac-sha2-256 group modp1536 quick group modp1536 > > Though traceroute from one host to the other fails at the gateway, > despite the gateway responding, > 128.164.144.189 > dns1: icmp: time exceeded in-transit [tos 0xc0] > (ttl 255, id 12234, len 56) > > traceroute to dns2 (128.164.159.159), 64 hops max, 40 byte packets > 1 * * * > 2 dns2 (128.164.159.159) 0.752 ms 0.648 ms 0.604 ms > > Is there anything I could be doing differently so that the traceroute > works? > > > -- View this message in context: http://www.nabble.com/IPSec-transport-mode-and-traceroute-tp15316278p15618006.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
