Bjoern A. Zeeb wrote:
On Tue, 27 May 2008, Tom Judge wrote:
Hi,
Yes we do indeed see a reply from node b. It is good to here that
this is a known issue.
The IPSec configuration is a gif ipip tunnel that is then encrypted
with IPSec using esp in tunnel mode as per the ipsec vpn section in
the handbook.
1) if you do not need the ipip tunnel because you need an interface
and "link state changes" only go with the IPsec tunnel mode.
2) If you need the gi tunnel on top and routing, use IPsec transport
mode.
(ignore the handbook, try to understand it;)
I have 13 nodes in a parital mesh running ospf for routing. It would
not be trivial for me to switch from tunnel to transport mode. Also I
have not tested quagga in when the ipsec is in transport mode, and I
guess I do need interfaces to use with quagga. I may test fixing this
additional overhead, but as they say if it's not broken don't fix it.
Do you have any more information on the underlying source of the
problem? If so it would help me find the problem. I may setup a
small test network to find this problem this evening time permitting.
a test network is not a problem. time is.
Please understand that I was not asking for you to fix this problem just
for some pointers into where to start looking. The reason I ask is that
you seem to know in what region that the error exists and it would be
helpful to me if you could tell me so that I could try to find a
solution to the problem myself. At a guess the code that I need to look
as it in icmp_error() or further down the icmp transmit path (maybe
icmp_reflect or further?).
Thanks again.
Tom
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
