From owner-freebsd-security  Thu Oct 18  3:36:50 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mine.kame.net (kame195.kame.net [203.178.141.195])
	by hub.freebsd.org (Postfix) with ESMTP id 11BE337B405
	for <freebsd-security@freebsd.org>; Thu, 18 Oct 2001 03:36:43 -0700 (PDT)
Received: from localhost ([3ffe:501:4819:cafe:260:1dff:fe21:f766])
	by mine.kame.net (8.11.1/3.7W) with ESMTP id f9IAkkH01363;
	Thu, 18 Oct 2001 19:46:46 +0900 (JST)
To: tariq_rashid@lineone.net
Cc: freebsd-security@freebsd.org
Subject: Re: MTU and KAME ipsec
In-Reply-To: Your message of "Thu, 18 Oct 2001 10:40:08 +0100"
	<E15u9eq-0008By-00@mk-smarthost-2.mail.uk.worldonline.com>
References: <E15u9eq-0008By-00@mk-smarthost-2.mail.uk.worldonline.com>
X-Mailer: Cue version 0.6 (010810-1737/sakane)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Message-Id: <20011018193637H.sakane@kame.net>
Date: Thu, 18 Oct 2001 19:36:37 +0900
From: Shoichi Sakane <sakane@kame.net>
X-Dispatcher: imput version 20000228(IM140)
Lines: 27
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> the following is an example from tcpdump which suggests that the kame ipsec does not take sufficient header length off? i'm transferring a 50MB binary test file from a freebsd box across a kame vpn net onto a win2k box. 
> 
> the tcpdump is similar on both vpn bsd endpoints. the vpn protected ftp server' tcpdump shows 

umm, i have checked esp tunnel mode between two hosts.
there is one router between them.  it and looks works fine.
                  
just make sure, 192.168.1.2 and 192.168.1.1 are freebsd4.4 vpn box ?
and which side is there win2k box ?
there is no router between two vpn boxes ?

> 09:31:38.573809 192.168.1.2 > 192.168.1.1: (frag 9260:84@1456) [tos 0x8] 
> 09:31:38.575036 192.168.1.2 > 192.168.1.1: ESP(spi=0x47534254,seq=0x9f) (frag 9262:1456@0+) [tos 0x8] 
> 09:31:38.575133 192.168.1.2 > 192.168.1.1: (frag 9262:84@1456) [tos 0x8] 
> 09:31:38.577280 192.168.1.1 > 192.168.1.2: ESP(spi=0xd4fda2ed,seq=0x8f)
> 09:31:38.579618 192.168.1.2 > 192.168.1.1: ESP(spi=0x47534254,seq=0xa0) (frag 9264:1456@0+) [tos 0x8] 
> 09:31:38.579708 192.168.1.2 > 192.168.1.1: (frag 9264:84@1456) [tos 0x8] 
> 09:31:38.580940 192.168.1.2 > 192.168.1.1: ESP(spi=0x47534254,seq=0xa1) (frag 9266:1456@0+) [tos 0x8] 
> 09:31:38.581037 192.168.1.2 > 192.168.1.1: (frag 9266:84@1456) [tos 0x8] 
> 09:31:38.582266 192.168.1.2 > 192.168.1.1: ESP(spi=0x47534254,seq=0xa2) (frag 9268:1456@0+) [tos 0x8] 
> 09:31:38.582364 192.168.1.2 > 192.168.1.1: (frag 9268:84@1456) [tos 0x8] 
> 09:31:38.583021 192.168.1.1 > 192.168.1.2: ESP(spi=0xd4fda2ed,seq=0x90)
> 09:31:38.583156 192.168.1.1 > 192.168.1.2: ESP(spi=0xd4fda2ed,seq=0x91)
> 09:31:38.584578 192.168.1.1 > 192.168.1.2: ESP(spi=0xd4fda2ed,seq=0x92)
> 09:31:38.584722 192.168.1.1 > 192.168.1.2: ESP(spi=0xd4fda2ed,seq=0x93)
> 
> 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message