ICMP traceroute succeeds but UDP fails?
-
IPSec rom pfSense to a CentOS hub, traceroute from the pfSense LAN all the way through to another pfSense node works with ICMP:
sugoi:~ steve-o$ traceroute -P icmp -m 3 firewall.kowloonbay.miru.hk traceroute to firewall.kowloonbay.miru.hk (10.0.0.1), 3 hops max, 72 byte packets 1 firewall (10.208.0.1) 1.947 ms 0.970 ms 0.896 ms 2 hyori.miru.hk (10.36.8.1) 28.039 ms 26.345 ms 106.120 ms 3 firewall.kowloonbay.miru.hk (10.0.0.1) 371.420 ms 404.675 ms 328.197 ms sugoi:~ steve-o$ traceroute -P udp -m 3 firewall.kowloonbay.miru.hk traceroute to firewall.kowloonbay.miru.hk (10.0.0.1), 3 hops max, 52 byte packets 1 firewall (10.208.0.1) 2.014 ms 1.167 ms 0.973 ms 2 hyori.miru.hk (10.36.8.1) 25.363 ms 28.624 ms 93.327 ms 3 * * * sugoi:~ steve-o$ traceroute -P tcp -m 3 firewall.kowloonbay.miru.hk traceroute to firewall.kowloonbay.miru.hk (10.0.0.1), 3 hops max, 64 byte packets 1 * * * 2 * * * 3 * * *
When using UDP the first hop against pfSense works, as does CentOS as the endpoint of the IPsec tunnel but pfSense as an endpoint is not responding.
Going to the simplified case of CentOS to pfSense:
[root@hyolee log]# traceroute -I 10.208.0.1 -m 3 traceroute to 10.208.0.1 (10.208.0.1), 3 hops max, 60 byte packets 1 firewall.ridgefield.miru.hk (10.208.0.1) 33.362 ms 33.308 ms 33.298 ms [root@hyolee log]# traceroute -U 10.208.0.1 -m 3 traceroute to 10.208.0.1 (10.208.0.1), 3 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * [root@hyolee log]# traceroute -T 10.208.0.1 -m 3 traceroute to 10.208.0.1 (10.208.0.1), 3 hops max, 60 byte packets 1 firewall.ridgefield.miru.hk (10.208.0.1) 27.294 ms 27.256 ms 27.235 ms
pfSense IPsec firewall is blanket open on all 10/8 traffic,
A UDP trace to a node on the pfSense LAN works,
14:02:23.426709 IP hyori.miru.hk.40674 > sugoi.ridgefield.miru.hk.traceroute: UDP, length 32 14:02:23.426711 IP hyori.miru.hk.47204 > sugoi.ridgefield.miru.hk.traceroute: UDP, length 32 14:02:23.426824 IP hyori.miru.hk.59223 > sugoi.ridgefield.miru.hk.traceroute: UDP, length 32
Configuring a trace log on a UDP trace packet and executing traceroute with that port shows success through the firewall.
-
IIRC FreeBSD does not allow by default to send back any ICMP messages over ipsec to avoid disclosing any data!
-
Interesting, does Cisco follow this policy too? Here is the reference on the freebsd mailing list.
https://lists.freebsd.org/pipermail/freebsd-net/2014-February/037912.html