Massive TTL Decrease ISAKMP-IPSEC VPN

Anyone else notice a massive TTL deduction when packets pass through a
ISAKMP-IPSEC tunnel. I happen to notice this today monitoring the latency of
hosts through a VPN tunnel. When I ping the inside interface I get a 253 -
252 TTL but just one hop further the TTL is 126. This seems indicative of a
routing loop. Any thoughts?

TIA

 

You did not mention any platform, but as I just happened to answer
a PIX 501 question for you, I will assume PIX.

PIX 6.x is not exactly a proxy: it does not actually pass packets through
from one side to another. Instead, PIX 6.x receives the packets
and builds a -new- packet to the destination. That new packet happens
to have a different starting TTL.

Building new packets is important for security reasons, to scrub
malformed packets and to hide unusual flag combinations that might
be exploitable or might be usable to detect operating systems in
use and so on. Secondly, building new packets is required in order
to be able to inspect protocols, since one does not want an attacker
to be able to escape detection merely by artificially breaking
key information at packet boundaries. Thirdly, building new packets
can help deal with MTU differences -- especially since VPN tunnels
have a smaller effective MTU (because of the VPN overhead.)