On 09/16/2010 09:00 AM, Vladimir Grigorov wrote: > Greetings all. > > > I have strange problems related to passage icmp need-frag packets, and, as > result, all packets with packets length greater than output gif MTU. > > Network diagram: > > [HostA] -- (mtu 1500) --- [FW1] --- ipsec gif mtu 1280 <-gif1 -- [FW2] - gif0 > -> ipsec gif mtu 6100 - [FW3] -(mtu 1500) - [HostB] > > All FW's - Freebsd hosts > HostA - freebsd host > HostB - Cisco 3750e switch in L3 mode > > HostA can reach HostB and vice versa. Ping with length above 1280 works fine > (pmtu = 1280). Ping with len=1281 without df bit also work fine. But ping > with mtu 1281 fails. > > Question: Why FW2 does not send ICMP need-fragment-but-DF-set message to > HostB ? >
If you take a look at icmp_error() in sys/netinet/ip_icmp.c you will see that icmp errors are not sent for packets that have been previously been decrypted by IPSec. I have a feeling that this is because icmp_reflect() will not use the correct output path but I may be and most probably am wrong. Bjoern (CC'd) can probably shed more light on it. I am willing to spend some time on the fix for this if someone could give me a gentle nudge in the right direction. > I try to permit icmp from all interfaces on FW2, explicit send unreachable > packet for all ip packets from defined source ip - nothing happens. I see > increased packets counts related my source ip, but cant see responce icmps > with unreachable code > > uname -a > FreeBSD fw2-mru.astrum-nival.com 8.0-RELEASE-p3 FreeBSD 8.0-RELEASE-p3 #3: > Thu Jul 1 18:24:35 MSD 2010 > r...@fw2-mru.astrum-nival.com:/usr/obj/usr/src/sys/gw amd64 > > ifconfig gif0 > gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 6100 > tunnel inet 217.69.143.28 --> 217.69.143.57 > inet 10.192.224.5 --> 10.192.224.6 netmask 0xfffffffc > options=1<ACCEPT_REV_ETHIP_VER> > > ifconfig gif1 > gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280 > tunnel inet 217.69.143.28 --> 88.212.205.166 > inet 10.160.192.6 --> 10.160.192.5 netmask 0xfffffffc > options=1<ACCEPT_REV_ETHIP_VER> > > netstat -nr | grep 192.168.224 > > 192.168.224.0/22 10.192.224.6 UG1 0 36031303 gif0 > > netstat -nr | grep 192.168.160. > 192.168.160.0/24 10.160.192.5 UG1 0 10969867 gif1 > > # ipfw show > 00006 10 6505 allow icmp from any to 192.168.225.1 via > gif0 > 00100 10524445 1225052712 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00305 2054 433651 allow icmp from any to any via gif0 > icmptypes 3,11 > 00306 0 0 allow icmp from any to 192.168.225.1 via > gif0 > 00310 6960 575159 nat 220 ip from table(10) to any via > vlan220 > 00315 1198 70832 deny ip from not me to 192.168.66.0/23 out > xmit vlan220 > 00320 6512 1611912 nat 220 ip from 192.168.66.0/23 to > 192.168.13.199 in recv vlan220 > 00400 114560294 8963623578 nat 123 ip from 192.168.196.0/24 to any > out via vlan506 > 00402 36831424 2199804860 nat 123 ip from 192.168.193.0/24 to any > out via vlan506 > 00403 153380 9265905 nat 123 ip from 192.168.197.0/24 to any > out via vlan506 > 00500 0 0 nat 123 ip from any to 195.211.130.9 in > via vlan506 > 00501 147593882 174870597871 nat 123 ip from any to 195.211.130.9 in > via vlan500 > 01100 0 0 allow tcp from table(21) to table(23) > dst-port 29000 > 01110 0 0 deny tcp from table(22) to table(23) > dst-port 29000 > 01120 3 144 deny tcp from table(20) to table(23) > dst-port 29000 > 65530 589120438508 133855063718386 allow ip from any to any > 65535 0 0 deny ip from any to any > > try to ping from cisco: > > c3750e.gldn#ping 192.168.160.248 source 192.168.225.1 repea 5 size 1281 df > > Type escape sequence to abort. > Sending 5, 1281-byte ICMP Echos to 192.168.160.248, timeout is 2 seconds: > Packet sent with a source address of 192.168.225.1 > Packet sent with the DF bit set > ..... > Success rate is 0 percent (0/5) > > tcpdump on gif0 (large mtu before small mtu gif) > > [r...@fw2-mru ~]# tcpdump -i gif0 -vvv -n host 192.168.225.1 > tcpdump: listening on gif0, link-type NULL (BSD loopback), capture size 96 > bytes > 17:55:54.006210 IP (tos 0x0, ttl 254, id 805, offset 0, flags [DF], proto > ICMP (1), length 1281) > 192.168.225.1 > 192.168.160.248: ICMP echo request, id 161, seq 0, length > 1261 > 17:55:56.013039 IP (tos 0x0, ttl 254, id 806, offset 0, flags [DF], proto > ICMP (1), length 1281) > 192.168.225.1 > 192.168.160.248: ICMP echo request, id 161, seq 1, length > 1261 > 17:55:58.015870 IP (tos 0x0, ttl 254, id 807, offset 0, flags [DF], proto > ICMP (1), length 1281) > 192.168.225.1 > 192.168.160.248: ICMP echo request, id 161, seq 2, length > 1261 > 17:56:00.020833 IP (tos 0x0, ttl 254, id 808, offset 0, flags [DF], proto > ICMP (1), length 1281) > 192.168.225.1 > 192.168.160.248: ICMP echo request, id 161, seq 3, length > 1261 > 17:56:02.027756 IP (tos 0x0, ttl 254, id 809, offset 0, flags [DF], proto > ICMP (1), length 1281) > 192.168.225.1 > 192.168.160.248: ICMP echo request, id 161, seq 4, length > 1261 > ^C > 5 packets captured > 99753 packets received by filter > 0 packets dropped by kernel > > tcpdump on gif1 (small mtu on route to destination) > > (nothing) > > but if i omit df on cisco: > > [r...@fw2-mru ~]# tcpdump -i gif1 -vvv -n host 192.168.225.1 > tcpdump: listening on gif1, link-type NULL (BSD loopback), capture size 96 > bytes > 17:59:03.083053 IP (tos 0x0, ttl 253, id 815, offset 0, flags [+], proto ICMP > (1), length 1276) > 192.168.225.1 > 192.168.160.248: ICMP echo request, id 163, seq 0, length > 1256 > 17:59:03.083147 IP (tos 0x0, ttl 253, id 815, offset 1256, flags [none], > proto ICMP (1), length 25) > 192.168.225.1 > 192.168.160.248: icmp > 17:59:03.090882 IP (tos 0x0, ttl 253, id 816, offset 0, flags [+], proto ICMP > (1), length 1276) > 192.168.225.1 > 192.168.160.248: ICMP echo request, id 163, seq 1, length > 1256 > 17:59:03.090976 IP (tos 0x0, ttl 253, id 816, offset 1256, flags [none], > proto ICMP (1), length 25) > 192.168.225.1 > 192.168.160.248: icmp > 17:59:03.097254 IP (tos 0x0, ttl 253, id 817, offset 0, flags [+], proto ICMP > (1), length 1276) > 192.168.225.1 > 192.168.160.248: ICMP echo request, id 163, seq 2, length > 1256 > 17:59:03.097346 IP (tos 0x0, ttl 253, id 817, offset 1256, flags [none], > proto ICMP (1), length 25) > 192.168.225.1 > 192.168.160.248: icmp > 17:59:03.105749 IP (tos 0x0, ttl 253, id 818, offset 0, flags [+], proto ICMP > (1), length 1276) > 192.168.225.1 > 192.168.160.248: ICMP echo request, id 163, seq 3, length > 1256 > 17:59:03.105844 IP (tos 0x0, ttl 253, id 818, offset 1256, flags [none], > proto ICMP (1), length 25) > 192.168.225.1 > 192.168.160.248: icmp > 17:59:03.115617 IP (tos 0x0, ttl 253, id 819, offset 0, flags [+], proto ICMP > (1), length 1276) > 192.168.225.1 > 192.168.160.248: ICMP echo request, id 163, seq 4, length > 1256 > 17:59:03.115707 IP (tos 0x0, ttl 253, id 819, offset 1256, flags [none], > proto ICMP (1), length 25) > 192.168.225.1 > 192.168.160.248: icmp > > e.g. destination reachable, fragmentation work, routes symmetrical. > > any comments ? > > > Good Luck Tom -- TJU13-ARIN _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
