IETF Logo Mail Archive

Re: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt

"Panwei (William)" <william.panwei@huawei.com> Wed, 27 March 2024 11:59 UTC

Return-Path: <william.panwei@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2250BC151525 for <ipsec@ietfa.amsl.com>; Wed, 27 Mar 2024 04:59:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QP9c2Z8_cvwb for <ipsec@ietfa.amsl.com>; Wed, 27 Mar 2024 04:59:21 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9DE9C14CE5D for <ipsec@ietf.org>; Wed, 27 Mar 2024 04:59:20 -0700 (PDT)
Received: from mail.maildlp.com (unknown [172.18.186.216]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4V4QDC0f7kz6JBH5; Wed, 27 Mar 2024 19:58:19 +0800 (CST)
Received: from lhrpeml100003.china.huawei.com (unknown [7.191.160.210]) by mail.maildlp.com (Postfix) with ESMTPS id 46FCD140B2F; Wed, 27 Mar 2024 19:59:18 +0800 (CST)
Received: from kwepemi500009.china.huawei.com (7.221.188.199) by lhrpeml100003.china.huawei.com (7.191.160.210) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Wed, 27 Mar 2024 11:59:17 +0000
Received: from kwepemi500010.china.huawei.com (7.221.188.191) by kwepemi500009.china.huawei.com (7.221.188.199) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Wed, 27 Mar 2024 19:59:16 +0800
Received: from kwepemi500010.china.huawei.com ([7.221.188.191]) by kwepemi500010.china.huawei.com ([7.221.188.191]) with mapi id 15.01.2507.035; Wed, 27 Mar 2024 19:59:15 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt
Thread-Index: AQHaayQFUr6vZiHeJEm4rFfwTHJng7FJ2NuAgACSVACAAJLA0P//0IaAgADN7XA=
Date: Wed, 27 Mar 2024 11:59:15 +0000
Message-ID: <57bd1510e66b45c7af60513fbba3051c@huawei.com>
References: <170922023791.21652.13338059706655424526@ietfa.amsl.com> <CAFU7BAQuNkHDRidjQqGbXySKJ1FCRKuAksDa0BHsvfGeG45k6g@mail.gmail.com> <4b44a218c77a49edbaecd3b524dbaac7@huawei.com> <476994.1711501928@dyas> <3f7b0380650a40e6b9cec4afb7f6d034@huawei.com> <497306.1711523247@dyas>
In-Reply-To: <497306.1711523247@dyas>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.164.106.141]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/1eobcOWLgSfEBgZCfbrx8Nmm2r0>
Subject: Re: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 11:59:23 -0000

Hi Michael,

Thanks for your clarification. I'm much clearer about the problems now.

    > > When you find out that the IKEv2 negotiation succeeds but ESP
    > > traffic can't get through, what more information will you get 
    > > from sending the ESPping and not receiving a response?
    > 
    > That there is a problem with proto=50... So:
    > a) do UDP encap (maybe by manual config, if you are clueful)
    > b) call network support and file a problem report.

I mean, when you find out that the IKEv2 negotiation succeeds but ESP traffic can't get through, you can already guess there may be a problem with ESP packet.
If you want to use ESPping to determine the problem is really because of the on-path firewalls or routers discard the ESP packets, you need to make sure the IPsec peer also supports the ESPping.
If you want to do the traceroute to determine how far ESP actually gets, you need to make sure every node supports the ESPping.

Regards & Thanks!
Wei PAN (潘伟)

v2.23.0 | Report a Bug | By Email