On Tue, 25 Jul 2006, Heinrich Rebehn wrote:
Matthew Closson wrote:
On Mon, 24 Jul 2006, Heinrich Rebehn wrote:
Hi list,
I am running into a strange problem with IPSec, MTU? fragmentation? which
i am unable to resolve.
My Setup:
@home i have one PC which connects to our institute network with IPSec.
The PC connects to the internet via a DSL modem using Linux/PPPoE or
Windows XP/SP2. This has been running fine for years now.
Last week i bought a Netgear WTG624V3 WLAN router in order to allow our
notebook to connect to the internet too.
This router is now connected between the PC and the DSL modem and does
the job of bringing up the internet connection with PPPoE.
IPSec from my PC still works, but the symptoms are as follows:
- The tunnel is brought up and i can use it to ssh to our institute's
firewall/ipsec gateway. On the gateway (OpenBSD 3.8), i can work in the
shell as long as i want, but as soon as i do a "ls -lR /" or something
else that produces large output, the connection is stalled.
However,the tunnel is still usable, i can do a 2nd ssh and continue
working.
This leads me to the conclusion that it cannot be a rekeying issue.
Under the second login, i can see both connections:
[EMAIL PROTECTED] [~]# netstat -anptcp | grep 192.168.1.2
tcp 0 48 134.102.176.250.22 192.168.1.2.40010 ESTABLISHED
tcp 0 16304 134.102.176.250.22 192.168.1.2.40009 ESTABLISHED
All MTUs (PC, WLAN router, firewall) are set to 1500.
I played with max-mss in pf.conf, as was suggested on the misc@ ML:
scrub in on enc0 all max-mss 1318
but it did not help.
Parallel to the "ls -lR /" mentioned above, i did a tcpdump on the
firewall's external if, which can be found at:
http://www.ant.uni-bremen.de/~rebehn/vlan1.dump
The dump shows that fragmentation does occur.
The same symptom can also be observed when connecting to our www server
behind the firewall, very small pages are displayed, bigger ones get
stalled.
Can anyone help me on this? I am not familiar with the internals of
TCP/IP, especially MTUs and fragmentation.
If you need isakmpd.conf, pf.conf or anything else, please let me know.
Thanks for any help,
Heinrich Rebehn
University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -
Phone : +49/421/218-4664
Fax : -3341
http://archives.neohapsis.com/archives/openbsd/2006-06/1666.html
Thanks to all who replied, but i am still having the problem. While i will
be looking at the MTU's on the path, can someone help me understand what
what's up in the above mentioned dump at
http://www.ant.uni-bremen.de/~rebehn/vlan1.dump ?
134.102.176.250 > 213.172.119.236: icmp: 134.102.176.250 protocol 4
unreachable
What "does protocol 4 unreachable" mean? According to /etc/protocols, 4 is
"IP encapsulated in IP (officially ``IP'')" ???
As one can see at the end of the dump, fragmentation does occur. Is this
absolutely lethal for IPSec?
--Heinrich
I believe what you are seeing is Path MTU discovery failing. When the
IPSEC router sees a packet which is too large for it to route it is
sending back an ICMP Unreachable packet (because it is too large) but, if
some intermediary device on the way back is over-zealously filtering ICMP
this ICMP unreachable packet will never get back to the sender, instead it
will timeout and keep sending packets which are too large and thus you
will never be able to view the webpage or other resource.
A good test would be if you had root access on one of the remote locations
which is giving you a problem, you could run tcpdump and see if those ICMP
packets are reaching that location or not.
If there is some router in the middle filtering this type of ICMP and the
administrator is unwilling to change it then that is going to pose a real
problem to your connectivity to those sites.
Maybe someone else who has expertise with this issue can confirm that is
what might be going on.
Good luck!
-Matt-
