ICVPN: Incorrect routes on system 10.207.0.23/5.9.171.90/franken_fff_icvpn
Tim Niemeyer
tim at tn-x.org
Mo Sep 18 22:26:07 CEST 2017
Hi Sven
This should be fixed by adding following to zebra.conf:
--- %< ---
route-map RM_SET_SRC permit 10
set src 10.207.0.23
ip protocol bgp route-map RM_SET_SRC
--- >% ---
Please don't try this via IPv6.
Kind regards
Tim
Am Montag, den 18.09.2017, 21:35 +0200 schrieb Sven Eckelmann:
> Hi,
>
> it was observed that franken_fff_icvpn (and maybe other ICVPN
> gateways from
> franken) reply with a non-ICVPN source address over ICVPN. This was
> for
> example tested on vogtland3:
>
> $ traceroute -n 10.50.72.2 -s 10.204.48.1 -I
> traceroute to 10.50.72.2 (10.50.72.2), 30 hops max, 60 byte
> packets
> 1 5.9.171.90 1.312 ms 1.255 ms 1.239 ms
> 2 10.50.72.2 4.991 ms 5.079 ms 5.106 ms
>
> Or it can be seen on http://lg.ff3l.de/traceroute/gw9/ipv4?q=10.50.72
> .2
>
> The reply packet from franken_fff_icvpn (captured on the icvpn
> interface of
> vogtland3) looks like this:
>
> Frame 42605: 102 bytes on wire (816 bits), 102 bytes captured
> (816 bits)
> Ethernet II, Src: aa:8d:02:48:e1:a5 (aa:8d:02:48:e1:a5), Dst:
> e6:f8:0c:30:51:dc (e6:f8:0c:30:51:dc)
> Internet Protocol Version 4, Src: 5.9.171.90, Dst: 10.204.48.1
> 0100 .... = Version: 4
> .... 0101 = Header Length: 20 bytes (5)
> Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
> Total Length: 88
> Identification: 0x31aa (12714)
> Flags: 0x00
> Fragment offset: 0
> Time to live: 64
> Protocol: ICMP (1)
> Header checksum: 0x5d0b [validation disabled]
> [Header checksum status: Unverified]
> Source: 5.9.171.90
> Destination: 10.204.48.1
> [Source GeoIP: Germany, AS24940 Hetzner Online GmbH,
> 51.299301, 9.490900]
> [Destination GeoIP: Unknown]
> Internet Control Message Protocol
> Type: 11 (Time-to-live exceeded)
> Code: 0 (Time to live exceeded in transit)
> Checksum: 0xf4ff [correct]
> [Checksum Status: Good]
> Internet Protocol Version 4, Src: 10.204.48.1, Dst:
> 10.50.72.2
> Internet Control Message Protocol
>
>
> It seems to me like the source address on the system is configured
> wrong for
> this route or some weird SNAT is happening here.
>
> Kind regards,
> Sven
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname : signature.asc
Dateityp : application/pgp-signature
Dateigröße : 488 bytes
Beschreibung: This is a digitally signed message part
URL : <http://lists.freifunk.net/pipermail/franken-dev-freifunk.net/attachments/20170918/c777ebe1/attachment.sig>
Mehr Informationen über die Mailingliste franken-dev