Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ICMP traceroute succeeds but UDP fails?

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MrMoo
      last edited by

      IPSec rom pfSense to a CentOS hub, traceroute from the pfSense LAN all the way through to another pfSense node works with ICMP:

      
sugoi:~ steve-o$ traceroute -P icmp -m 3 firewall.kowloonbay.miru.hk
traceroute to firewall.kowloonbay.miru.hk (10.0.0.1), 3 hops max, 72 byte packets
 1  firewall (10.208.0.1)  1.947 ms  0.970 ms  0.896 ms
 2  hyori.miru.hk (10.36.8.1)  28.039 ms  26.345 ms  106.120 ms
 3  firewall.kowloonbay.miru.hk (10.0.0.1)  371.420 ms  404.675 ms  328.197 ms

sugoi:~ steve-o$ traceroute -P udp -m 3 firewall.kowloonbay.miru.hk
traceroute to firewall.kowloonbay.miru.hk (10.0.0.1), 3 hops max, 52 byte packets
 1  firewall (10.208.0.1)  2.014 ms  1.167 ms  0.973 ms
 2  hyori.miru.hk (10.36.8.1)  25.363 ms  28.624 ms  93.327 ms
 3  * * *

sugoi:~ steve-o$ traceroute -P tcp -m 3 firewall.kowloonbay.miru.hk
traceroute to firewall.kowloonbay.miru.hk (10.0.0.1), 3 hops max, 64 byte packets
 1  * * *
 2  * * *
 3  * * *

      When using UDP the first hop against pfSense works, as does CentOS as the endpoint of the IPsec tunnel but pfSense as an endpoint is not responding.

      Going to the simplified case of CentOS to pfSense:

      
[root@hyolee log]# traceroute -I 10.208.0.1 -m 3
traceroute to 10.208.0.1 (10.208.0.1), 3 hops max, 60 byte packets
 1  firewall.ridgefield.miru.hk (10.208.0.1)  33.362 ms  33.308 ms  33.298 ms

[root@hyolee log]# traceroute -U 10.208.0.1 -m 3
traceroute to 10.208.0.1 (10.208.0.1), 3 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *

[root@hyolee log]# traceroute -T 10.208.0.1 -m 3
traceroute to 10.208.0.1 (10.208.0.1), 3 hops max, 60 byte packets
 1  firewall.ridgefield.miru.hk (10.208.0.1)  27.294 ms  27.256 ms  27.235 ms

      pfSense IPsec firewall is blanket open on all 10/8 traffic,

      A UDP trace to a node on the pfSense LAN works,

      
14:02:23.426709 IP hyori.miru.hk.40674 > sugoi.ridgefield.miru.hk.traceroute: UDP, length 32
14:02:23.426711 IP hyori.miru.hk.47204 > sugoi.ridgefield.miru.hk.traceroute: UDP, length 32
14:02:23.426824 IP hyori.miru.hk.59223 > sugoi.ridgefield.miru.hk.traceroute: UDP, length 32

      Configuring a trace log on a UDP trace packet and executing traceroute with that port shows success through the firewall.

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        IIRC FreeBSD does not allow by default to send back any ICMP messages over ipsec to avoid disclosing any data!

        1 Reply Last reply Reply Quote 0
        • M
          MrMoo
          last edited by

          Interesting, does Cisco follow this policy too?  Here is the reference on the freebsd mailing list.

          https://lists.freebsd.org/pipermail/freebsd-net/2014-February/037912.html

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.