Anyone else notice a massive TTL deduction when packets pass through a ISAKMP-IPSEC tunnel. I happen to notice this today monitoring the latency of hosts through a VPN tunnel. When I ping the inside interface I get a 253 -
252 TTL but just one hop further the TTL is 126. This seems indicative of a routing loop. Any thoughts?
You did not mention any platform, but as I just happened to answer a PIX 501 question for you, I will assume PIX.
PIX 6.x is not exactly a proxy: it does not actually pass packets through from one side to another. Instead, PIX 6.x receives the packets and builds a -new- packet to the destination. That new packet happens to have a different starting TTL.
Building new packets is important for security reasons, to scrub malformed packets and to hide unusual flag combinations that might be exploitable or might be usable to detect operating systems in use and so on. Secondly, building new packets is required in order to be able to inspect protocols, since one does not want an attacker to be able to escape detection merely by artificially breaking key information at packet boundaries. Thirdly, building new packets can help deal with MTU differences -- especially since VPN tunnels have a smaller effective MTU (because of the VPN overhead.)