ICVPN: Incorrect routes on system 10.207.0.23/5.9.171.90/franken_fff_icvpn

Tim Niemeyer tim at tn-x.org
Mo Sep 18 22:26:07 CEST 2017


Hi Sven

This should be fixed by adding following to zebra.conf:
--- %< ---
route-map RM_SET_SRC permit 10
  set src 10.207.0.23
ip protocol bgp route-map RM_SET_SRC
--- >% ---

Please don't try this via IPv6.

Kind regards
Tim

Am Montag, den 18.09.2017, 21:35 +0200 schrieb Sven Eckelmann:
> Hi,
> 
> it was observed that franken_fff_icvpn (and maybe other ICVPN
> gateways from
> franken) reply with a non-ICVPN source address over ICVPN. This was
> for
> example tested on vogtland3:
> 
>     $ traceroute -n 10.50.72.2 -s  10.204.48.1 -I
>     traceroute to 10.50.72.2 (10.50.72.2), 30 hops max, 60 byte
> packets
>      1  5.9.171.90  1.312 ms  1.255 ms  1.239 ms
>      2  10.50.72.2  4.991 ms  5.079 ms  5.106 ms
> 
> Or it can be seen on http://lg.ff3l.de/traceroute/gw9/ipv4?q=10.50.72
> .2
> 
> The reply packet from franken_fff_icvpn (captured on the icvpn
> interface of 
> vogtland3) looks like this:
> 
>     Frame 42605: 102 bytes on wire (816 bits), 102 bytes captured
> (816 bits)
>     Ethernet II, Src: aa:8d:02:48:e1:a5 (aa:8d:02:48:e1:a5), Dst:
> e6:f8:0c:30:51:dc (e6:f8:0c:30:51:dc)
>     Internet Protocol Version 4, Src: 5.9.171.90, Dst: 10.204.48.1
>         0100 .... = Version: 4
>         .... 0101 = Header Length: 20 bytes (5)
>         Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
>         Total Length: 88
>         Identification: 0x31aa (12714)
>         Flags: 0x00
>         Fragment offset: 0
>         Time to live: 64
>         Protocol: ICMP (1)
>         Header checksum: 0x5d0b [validation disabled]
>         [Header checksum status: Unverified]
>         Source: 5.9.171.90
>         Destination: 10.204.48.1
>         [Source GeoIP: Germany, AS24940 Hetzner Online GmbH,
> 51.299301, 9.490900]
>         [Destination GeoIP: Unknown]
>     Internet Control Message Protocol
>         Type: 11 (Time-to-live exceeded)
>         Code: 0 (Time to live exceeded in transit)
>         Checksum: 0xf4ff [correct]
>         [Checksum Status: Good]
>         Internet Protocol Version 4, Src: 10.204.48.1, Dst:
> 10.50.72.2
>         Internet Control Message Protocol
> 
> 
> It seems to me like the source address on the system is configured
> wrong for 
> this route or some weird SNAT is happening here.
> 
> Kind regards,
> 	Sven
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : signature.asc
Dateityp    : application/pgp-signature
Dateigröße  : 488 bytes
Beschreibung: This is a digitally signed message part
URL         : <http://lists.freifunk.net/pipermail/franken-dev-freifunk.net/attachments/20170918/c777ebe1/attachment.sig>


Mehr Informationen über die Mailingliste franken-dev