On Fri, 2008-11-14 at 10:25 -0800, Julian Elischer wrote: > Stephen Clark wrote: > > Stephen Clark wrote: > > >>>>> > >>>>> 10.0.129.1 FreeBSD workstation > >>>>> ^ > >>>>> | > >>>>> | ethernet > >>>>> | > >>>>> v > >>>>> 10.0.128.1 Freebsd FW "A" > >>>>> ^ > >>>>> | > >>>>> | gre / ipsec > >>>>> | > >>>>> v > >>>>> 192.168.3.1 FreeBSD FW "B" > >>>>> ^ > >>>>> | > >>>>> | ethernet > >>>>> | > >>>>> v > >>>>> 192.168.3.86 linux workstation > >>>>> > > >> Also just using gre's without the > >> underlying ipsec tunnels seems to > >> work properly. > > > This is the crux of the matter. > IPSEC happens INSIDE the IP stack. The IP stack is responsible for > the ICMP generation so it is much more likely that there is an > interaction there. > > Now is there an IPSEC rule to make sure that the ICMP packet can get > back? It could b ehtat in teh IP stack there is some confusion as to > whether the return packet should be encrypted or not and it might get > dropped. > > the code involved is in /sys/netinet and /sys/netipsec but you'll > probably regret looking in there ;-)
Right, I don't really know the IPSEC code, but I was told by someone who is familiar with it that this is a known problem and that the use of GRE is not relevant. Hopefully he will have a moment to respond to this thread with a bit more detail. robert. > > > >> > >> > > Another data point I had been using option FILTER_GIF I tried a kernel > > without that option and it behaved the same. > > > > Steve > > >
signature.asc
Description: This is a digitally signed message part
