05-10-2005 06:22 PM - edited 02-21-2020 12:08 AM
I can't perform traceroutes over the VPN tunnel I have established.. everything is working otherwise..
I hit up TAC with this question, and they tell me that because the packets are encrypted, that the tunnel isn't aware that they are traceroute packets. Is this true? When I Trace from a host on the inside fo the PIX, to a host on the inside of the Concentrator, I get timeouts on every hop except the first and last.
Any ideas?
05-16-2005 11:38 AM
It might help us if we knew more about your particular situation and how you have things configured.
But in general I think that you got a correct answer, that if the traceroute packet matches the access list for IPSec and the traceroute packet is encrypted, then the devices along the path till the point that it is decrypted will only see the encrypted data and will not recognize that it is a traceroute and therefore can not respond to you. (A technical note: the devices along the path see the TTL expire, drop the packet, and generate an ICMP error, but the ICMP TTL exceeded is not addresses to you but is addressed to the tunnel endpoint since that was the source address of the packet that they discarded.)
If you really want traceroute to work you might look at the possibility of changing the access list that identifies traffic for IPSec such that it does not permit the traceroute packets. This will result in traceroute being sent in the clear. Note that there may be some complexity in differentiating traceroute from other kinds of traffic in the access list.
HTH
Rick
06-10-2005 09:25 AM
Hello, Not sure what version this came out, but try on both PIX sides:
management-access inside.
I can telnet, ping, etc... to the insides of both tunnels points with this.
08-10-2005 11:59 PM
Hi,
Take this case for an example.
The traceroute you are expecting is
HostA--> VPN.Concentrator Inside IP --> PIX Inside IP ---> HostB
Now check your network lists on the VPN Concentrator for the specific tunnel. You would have allowed traffic from HostA to HostB only. In this case, the trace output u gets will look something like this
HostA--> VPN.Concentrator Inside IP --> * ---> HostB
This is because the PIX Inside IP is not allowed to send packets through the tunnel where as HostB is...
Try adding PIX Internal IP address also to the encryption domain, then you will get this hop also.
HTH
Regards,
Shijo George.
09-01-2005 10:50 AM
You got a reasonable answer in first place. VPN tunnel incapsulates original packet then ecrypts it so there is no way for routers in between VPN tunnel endpoints to see the original packet.
You should be getting normal replies to your traceroute requests from all routers before and after tunnel including VPN tunnel endpoint routers. In simpliest case one from your gateway and another from traceroute destination host's gateway.
09-14-2005 10:36 PM
Hi,
the setting of the local and remote network in vpn config can affect this, because only traffic from ip addresses inside these networks goes through the vpn tunnel. So answers to the traceroute from hosts with ip addresses outside these networks won't go through the vpn-tunnel.
hth
Mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide