ICVPN: Incorrect routes on system

Sven Eckelmann sven at narfation.org
Mo Sep 18 21:35:09 CEST 2017


it was observed that franken_fff_icvpn (and maybe other ICVPN gateways from
franken) reply with a non-ICVPN source address over ICVPN. This was for
example tested on vogtland3:

    $ traceroute -n -s -I
    traceroute to (, 30 hops max, 60 byte packets
     1  1.312 ms  1.255 ms  1.239 ms
     2  4.991 ms  5.079 ms  5.106 ms

Or it can be seen on http://lg.ff3l.de/traceroute/gw9/ipv4?q=

The reply packet from franken_fff_icvpn (captured on the icvpn interface of 
vogtland3) looks like this:

    Frame 42605: 102 bytes on wire (816 bits), 102 bytes captured (816 bits)
    Ethernet II, Src: aa:8d:02:48:e1:a5 (aa:8d:02:48:e1:a5), Dst: e6:f8:0c:30:51:dc (e6:f8:0c:30:51:dc)
    Internet Protocol Version 4, Src:, Dst:
        0100 .... = Version: 4
        .... 0101 = Header Length: 20 bytes (5)
        Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
        Total Length: 88
        Identification: 0x31aa (12714)
        Flags: 0x00
        Fragment offset: 0
        Time to live: 64
        Protocol: ICMP (1)
        Header checksum: 0x5d0b [validation disabled]
        [Header checksum status: Unverified]
        [Source GeoIP: Germany, AS24940 Hetzner Online GmbH, 51.299301, 9.490900]
        [Destination GeoIP: Unknown]
    Internet Control Message Protocol
        Type: 11 (Time-to-live exceeded)
        Code: 0 (Time to live exceeded in transit)
        Checksum: 0xf4ff [correct]
        [Checksum Status: Good]
        Internet Protocol Version 4, Src:, Dst:
        Internet Control Message Protocol

It seems to me like the source address on the system is configured wrong for 
this route or some weird SNAT is happening here.

Kind regards,
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : signature.asc
Dateityp    : application/pgp-signature
Dateigröße  : 833 bytes
Beschreibung: This is a digitally signed message part.
URL         : <http://lists.freifunk.net/pipermail/franken-dev-freifunk.net/attachments/20170918/3d25bbf3/attachment.sig>

Mehr Informationen über die Mailingliste franken-dev