ICVPN: Incorrect routes on system 10.207.0.23/5.9.171.90/franken_fff_icvpn

Sven Eckelmann sven at narfation.org
Mo Sep 18 21:35:09 CEST 2017 

Hi,

it was observed that franken_fff_icvpn (and maybe other ICVPN gateways from
franken) reply with a non-ICVPN source address over ICVPN. This was for
example tested on vogtland3:

    $ traceroute -n 10.50.72.2 -s  10.204.48.1 -I
    traceroute to 10.50.72.2 (10.50.72.2), 30 hops max, 60 byte packets
     1  5.9.171.90  1.312 ms  1.255 ms  1.239 ms
     2  10.50.72.2  4.991 ms  5.079 ms  5.106 ms

Or it can be seen on http://lg.ff3l.de/traceroute/gw9/ipv4?q=10.50.72.2

The reply packet from franken_fff_icvpn (captured on the icvpn interface of 
vogtland3) looks like this:

    Frame 42605: 102 bytes on wire (816 bits), 102 bytes captured (816 bits)
    Ethernet II, Src: aa:8d:02:48:e1:a5 (aa:8d:02:48:e1:a5), Dst: e6:f8:0c:30:51:dc (e6:f8:0c:30:51:dc)
    Internet Protocol Version 4, Src: 5.9.171.90, Dst: 10.204.48.1
        0100 .... = Version: 4
        .... 0101 = Header Length: 20 bytes (5)
        Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
        Total Length: 88
        Identification: 0x31aa (12714)
        Flags: 0x00
        Fragment offset: 0
        Time to live: 64
        Protocol: ICMP (1)
        Header checksum: 0x5d0b [validation disabled]
        [Header checksum status: Unverified]
        Source: 5.9.171.90
        Destination: 10.204.48.1
        [Source GeoIP: Germany, AS24940 Hetzner Online GmbH, 51.299301, 9.490900]
        [Destination GeoIP: Unknown]
    Internet Control Message Protocol
        Type: 11 (Time-to-live exceeded)
        Code: 0 (Time to live exceeded in transit)
        Checksum: 0xf4ff [correct]
        [Checksum Status: Good]
        Internet Protocol Version 4, Src: 10.204.48.1, Dst: 10.50.72.2
        Internet Control Message Protocol


It seems to me like the source address on the system is configured wrong for 
this route or some weird SNAT is happening here.

Kind regards,
	Sven
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : signature.asc
Dateityp    : application/pgp-signature
Dateigröße  : 833 bytes
Beschreibung: This is a digitally signed message part.
URL         : <http://lists.freifunk.net/pipermail/franken-dev-freifunk.net/attachments/20170918/3d25bbf3/attachment.sig>

Mehr Informationen über die Mailingliste franken-dev