Matthew Sullivan wrote: > Andre Oppermann wrote: > >> Matthew Sullivan wrote: >> >>> Andre Oppermann wrote: >>> >>>> Matthew Sullivan wrote: >>>> >>>>> Give me the switches you want on tcpdump and I'll be happy to >>>>> provide the packets ;-) >>>> >>>> >>>> >>>> This should do the trick: >>>> >>>> tcpdump -n -p -i fxp0 -s 128 -w dump >>>> >>> Ok this is what you have: >>> >>> root_at_scorpion:~# tcpdump -n -p -i fxp0 -s 128 -w pktdump not port 24 >>> >>> and it's at: http://scorpion.sorbs.net/ICMP/pktdump >> >> >> >> Ok, this is the problem: >> >> MTU of next hop: 0 >> >> Have you installed my patch on the gateway machine too, or only on your >> host? > > Patch is on both servers (the VPN server and the host the dump is from). > >> >> MTU of next hop should not be zero under normal circumstances. It >> indicates >> a bug somewhere in the normal IP forwarding path. >> >> Is this the correct packet flow: >> >> ... --> dc0 --> gif0 --> IPSec --> fxp0 --> Internet --> ... >> > That is correct for the VPN server. > > ifconfig for the VPN server as follows: > fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > options=8<VLAN_MTU> > inet 203.101.254.252 netmask 0xffffff00 broadcast 203.101.254.255 > inet6 fe80::290:27ff:fec2:4977%fxp0 prefixlen 64 scopeid 0x1 > ether 00:90:27:c2:49:77 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > dc0: flags=108843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > options=8<VLAN_MTU> > inet 203.15.51.61 netmask 0xffffffe0 broadcast 203.15.51.63 > inet6 fe80::2a0:cff:fec0:cc23%dc0 prefixlen 64 scopeid 0x2 > ether 00:a0:0c:c0:cc:23 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 > tunnel inet 203.101.254.252 --> 138.130.223.244 > tunnel inet6 203.101.254.252 --> 138.130.223.244 > inet 203.15.51.61 --> 192.168.1.2 netmask 0xffffff00 > inet6 fe80::290:27ff:fec2:4977%gif0 prefixlen 64 scopeid 0x5 > > FreeBSD stealth.sorbs.net 6.0-CURRENT FreeBSD 6.0-CURRENT #1: Fri Apr 29 > 17:50:25 EST 2005 > root_at_stealth.sorbs.net:/usr/obj/usr/src/sys/STEALTH i386 I'm at loss for an explanation. I've recreated approximatly the same setup with the gif tunnel (but no IPSec) and it works just fine for me. Getting correct MTU back and everything. What is your IPSec setup? Could it be that you do the IPSec on the IP packet first before it goes into the gif tunnel instead of the other way around? That may explain this behaviour. -- AndreReceived on Mon May 02 2005 - 16:41:39 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:33 UTC