ICVPN: Incorrect routes on system 10.207.0.23/5.9.171.90/franken_fff_icvpn
Sven Eckelmann
sven at narfation.org
Mo Sep 18 21:35:09 CEST 2017
Hi,
it was observed that franken_fff_icvpn (and maybe other ICVPN gateways from
franken) reply with a non-ICVPN source address over ICVPN. This was for
example tested on vogtland3:
$ traceroute -n 10.50.72.2 -s 10.204.48.1 -I
traceroute to 10.50.72.2 (10.50.72.2), 30 hops max, 60 byte packets
1 5.9.171.90 1.312 ms 1.255 ms 1.239 ms
2 10.50.72.2 4.991 ms 5.079 ms 5.106 ms
Or it can be seen on http://lg.ff3l.de/traceroute/gw9/ipv4?q=10.50.72.2
The reply packet from franken_fff_icvpn (captured on the icvpn interface of
vogtland3) looks like this:
Frame 42605: 102 bytes on wire (816 bits), 102 bytes captured (816 bits)
Ethernet II, Src: aa:8d:02:48:e1:a5 (aa:8d:02:48:e1:a5), Dst: e6:f8:0c:30:51:dc (e6:f8:0c:30:51:dc)
Internet Protocol Version 4, Src: 5.9.171.90, Dst: 10.204.48.1
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
Total Length: 88
Identification: 0x31aa (12714)
Flags: 0x00
Fragment offset: 0
Time to live: 64
Protocol: ICMP (1)
Header checksum: 0x5d0b [validation disabled]
[Header checksum status: Unverified]
Source: 5.9.171.90
Destination: 10.204.48.1
[Source GeoIP: Germany, AS24940 Hetzner Online GmbH, 51.299301, 9.490900]
[Destination GeoIP: Unknown]
Internet Control Message Protocol
Type: 11 (Time-to-live exceeded)
Code: 0 (Time to live exceeded in transit)
Checksum: 0xf4ff [correct]
[Checksum Status: Good]
Internet Protocol Version 4, Src: 10.204.48.1, Dst: 10.50.72.2
Internet Control Message Protocol
It seems to me like the source address on the system is configured wrong for
this route or some weird SNAT is happening here.
Kind regards,
Sven
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname : signature.asc
Dateityp : application/pgp-signature
Dateigröße : 833 bytes
Beschreibung: This is a digitally signed message part.
URL : <http://lists.freifunk.net/pipermail/franken-dev-freifunk.net/attachments/20170918/3d25bbf3/attachment.sig>
Mehr Informationen über die Mailingliste franken-dev