From owner-freebsd-security  Thu Oct 18  2:40:21 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mk-smarthost-2.mail.uk.worldonline.com (mk-smarthost-2.mail.uk.worldonline.com [212.74.112.72])
	by hub.freebsd.org (Postfix) with ESMTP id 80FCF37B401
	for <freebsd-security@freebsd.org>; Thu, 18 Oct 2001 02:40:11 -0700 (PDT)
Received: from scooby-s1.lineone.net ([194.75.152.224] helo=lineone.net)
	by mk-smarthost-2.mail.uk.worldonline.com with smtp (Exim 3.22 #3)
	id 15u9eq-0008By-00; Thu, 18 Oct 2001 10:40:08 +0100
To: Shoichi Sakane <sakane@kame.net>
Cc: freebsd-security@freebsd.org
From: tariq_rashid@lineone.net
Subject: Re: MTU and KAME ipsec
Message-Id: <E15u9eq-0008By-00@mk-smarthost-2.mail.uk.worldonline.com>
Date: Thu, 18 Oct 2001 10:40:08 +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


regarding kame ipsec and MTU ... 

>From: Shoichi Sakane <sakane@kame.net>

>it doesn't do special things.  it's not different from
>when the kernel sends the normal packet.
>in ipsec case, it just takes ipsec headers length from interface's mtu.

sakane, thanks for your response.

the following is an example from tcpdump which suggests that the kame ipsec does not take sufficient header length off? i'm transferring a 50MB binary test file from a freebsd box across a kame vpn net onto a win2k box. 

the tcpdump is similar on both vpn bsd endpoints. the vpn protected ftp server' tcpdump shows 

i'm new to this so do help me out here!

thanks

tariq

---

09:31:38.573809 192.168.1.2 > 192.168.1.1: (frag 9260:84@1456) [tos 0x8] 
09:31:38.575036 192.168.1.2 > 192.168.1.1: ESP(spi=0x47534254,seq=0x9f) (frag 9262:1456@0+) [tos 0x8] 
09:31:38.575133 192.168.1.2 > 192.168.1.1: (frag 9262:84@1456) [tos 0x8] 
09:31:38.577280 192.168.1.1 > 192.168.1.2: ESP(spi=0xd4fda2ed,seq=0x8f)
09:31:38.579618 192.168.1.2 > 192.168.1.1: ESP(spi=0x47534254,seq=0xa0) (frag 9264:1456@0+) [tos 0x8] 
09:31:38.579708 192.168.1.2 > 192.168.1.1: (frag 9264:84@1456) [tos 0x8] 
09:31:38.580940 192.168.1.2 > 192.168.1.1: ESP(spi=0x47534254,seq=0xa1) (frag 9266:1456@0+) [tos 0x8] 
09:31:38.581037 192.168.1.2 > 192.168.1.1: (frag 9266:84@1456) [tos 0x8] 
09:31:38.582266 192.168.1.2 > 192.168.1.1: ESP(spi=0x47534254,seq=0xa2) (frag 9268:1456@0+) [tos 0x8] 
09:31:38.582364 192.168.1.2 > 192.168.1.1: (frag 9268:84@1456) [tos 0x8] 
09:31:38.583021 192.168.1.1 > 192.168.1.2: ESP(spi=0xd4fda2ed,seq=0x90)
09:31:38.583156 192.168.1.1 > 192.168.1.2: ESP(spi=0xd4fda2ed,seq=0x91)
09:31:38.584578 192.168.1.1 > 192.168.1.2: ESP(spi=0xd4fda2ed,seq=0x92)
09:31:38.584722 192.168.1.1 > 192.168.1.2: ESP(spi=0xd4fda2ed,seq=0x93)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message