Hi folks
I found a problem sending large packets (e.g. large icmp echo requests) across an ipsec tunnel. I used a ping size of 2000 bytes and found that the remote ipsec gateway tried to reply with a fragmentation needed icmp packet. The icmp packet though went through the default gateway, which was not the ipsec tunnel.
here is some ascii art
local client network | 192.168.5.1 client gateway dynamic ip (dsl) | static ip (dsl) central gateway 192.168.1.1 | central network 192.168.1.1
I added an iproute2 table and rule to allow the client gateway to access the network 192.168.1.0/24 through the ipsec tunnel using a source address of 192.168.5.1. This is just handy if you don't have access to a real computer on the client network to use as a source for tests.
I could observe that the large packet to 192.168.1.254, a server on the central network, entered the ipsec tunnel on the client side and got delivered to the ipsec gateway on the central site. Then the ipsec gateway on the central site tried to send a fragmentation needed icmp packet to the source (192.168.5.1). This icmp packet had as source address the external static ip of the central gateway. There is no valid route through the internet to 192.168.5.1 so this packet was lost and of course my ping request was never replied to. The same would apply if a large data packet from the client network was sent with the don't fragment bit set.
I found that by applying a similar iproute2 table, rule and route, which allowed the internal address of the central ipsec gateway to access the client network would then route the icmp packets from the central router through the ipsec tunnel to the client's local network, hence notify the source of the large packet of the fragmentation necessity. Subsequently the echo requests suceeded.
Is this enough of a general interest to make it to the ipsec docs? Is this best practice or is there a better way to solve this?
cheers
Erich
------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
