From owner-freebsd-security Mon Jun 28 10: 4:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from cerberus.techfuel.com (irvine.techfuel.com [209.80.51.55]) by hub.freebsd.org (Postfix) with ESMTP id 785821538D for ; Mon, 28 Jun 1999 10:04:20 -0700 (PDT) (envelope-from kehlet@techfuel.com) Received: from basilisk.techfuel.com (basilisk.techfuel.com [172.16.1.2]) by cerberus.techfuel.com (8.9.3/8.9.3) with ESMTP id KAA02019 for ; Mon, 28 Jun 1999 10:04:07 -0700 (PDT) Received: from phoenix.techfuel.com (phoenix.techfuel.com [172.16.1.5]) by basilisk.techfuel.com (8.9.3/8.9.3) with ESMTP id KAA18167 for ; Mon, 28 Jun 1999 10:01:50 -0700 (PDT) Received: from localhost (kehlet@localhost) by phoenix.techfuel.com (8.9.3/8.9.3) with ESMTP id KAA00878 for ; Mon, 28 Jun 1999 10:07:06 -0700 X-Authentication-Warning: phoenix.techfuel.com: kehlet owned process doing -bs Date: Mon, 28 Jun 1999 10:07:06 -0700 (PDT) From: Steven Kehlet To: freebsd-security@freebsd.org Subject: having problems with IPSec VPN using FreeBSD -- help please! :-) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I'm trying to set up a VPN using IPSec tunnelling between two FreeBSD 3.1 boxes across the Internet. I'm using the IPSec for FreeBSD implementation from www.r4k.net. The setup looks okay, and the tunnelling seems to work great. Unfortunately the problem comes with large data transfers; I think there might be some sort of IP fragmentation problem. When I try to read a large mailbox with IMAP over the link, it connects but then it just hangs there with the other end sending me nothing but fragments (see tcpdump below). For some reason POP works fine, Netscape and web stuff doesn't work, and sometimes even doing a "man ipsecadm" or "ps -aux" (i.e. sudden burst of data) in a telnet session will cause it to hang. I've set up the SAs and flows okay; everything looks fine and I'm able to ping and telnet to and from boxes on non-routable IP ranges behind each box. That is, site A has 172.16/16 behind A.A.A.A, and site B has 172.17/16 behind B.B.B.B, and I can ping/telnet 172.17.X.X from 172.16.X.X no problem. Here's a tcpdump log on A.A.A.A while I'm trying to use IMAP from 172.16.X.X to B.B.B.B. Notice about half-way down all the sudden there's all this fragmentation happening, at which point my session never recovers. Can anyone offer any sort of explanation, offer tips for debugging, anything I can try, some way I can reduce the fragmentation (lower the mtu on my ethernet interface?), etc? Thanks! :-) :-) A.A.A.A# tcpdump -n host B.B.B.B tcpdump: listening on xl0 15:19:23.517547 A.A.A.A > B.B.B.B: ip-proto-50 84 [tos 0x10] 15:19:23.580292 B.B.B.B > A.A.A.A: ip-proto-50 92 [tos 0x10] 15:19:23.593400 A.A.A.A > B.B.B.B: ip-proto-50 68 [tos 0x10] 15:19:23.601293 A.A.A.A > B.B.B.B: ip-proto-50 84 [tos 0x10] 15:19:23.654207 B.B.B.B > A.A.A.A: ip-proto-50 92 [tos 0x10] 15:19:23.673426 A.A.A.A > B.B.B.B: ip-proto-50 68 [tos 0x10] 15:19:28.368815 A.A.A.A > B.B.B.B: ip-proto-50 84 15:19:28.399378 B.B.B.B > A.A.A.A: ip-proto-50 68 15:19:28.400009 A.A.A.A > B.B.B.B: ip-proto-50 68 15:19:28.441323 B.B.B.B > A.A.A.A: ip-proto-50 116 15:19:28.447346 B.B.B.B > A.A.A.A: ip-proto-50 124 15:19:28.448072 A.A.A.A > B.B.B.B: ip-proto-50 68 15:19:28.448476 A.A.A.A > B.B.B.B: ip-proto-50 84 15:19:28.481736 B.B.B.B > A.A.A.A: ip-proto-50 220 15:19:28.484531 A.A.A.A > B.B.B.B: ip-proto-50 92 15:19:28.513555 B.B.B.B > A.A.A.A: ip-proto-50 84 15:19:28.533459 A.A.A.A > B.B.B.B: ip-proto-50 68 15:19:28.552944 A.A.A.A > B.B.B.B: ip-proto-50 76 15:19:28.583303 B.B.B.B > A.A.A.A: ip-proto-50 84 15:19:28.584113 A.A.A.A > B.B.B.B: ip-proto-50 76 15:19:28.619272 B.B.B.B > A.A.A.A: ip-proto-50 148 15:19:28.623804 B.B.B.B > A.A.A.A: ip-proto-50 100 15:19:28.624694 A.A.A.A > B.B.B.B: ip-proto-50 92 15:19:28.684544 B.B.B.B > A.A.A.A: ip-proto-50 68 15:19:28.705040 B.B.B.B > A.A.A.A: ip-proto-50 428 15:19:28.707171 A.A.A.A > B.B.B.B: ip-proto-50 92 15:19:28.747522 B.B.B.B > A.A.A.A: ip-proto-50 116 15:19:28.749721 A.A.A.A > B.B.B.B: ip-proto-50 92 15:19:28.806969 B.B.B.B > A.A.A.A: ip-proto-50 564 15:19:28.809320 A.A.A.A > B.B.B.B: ip-proto-50 92 15:19:28.863102 B.B.B.B > A.A.A.A: ip-proto-50 580 15:19:28.865950 A.A.A.A > B.B.B.B: ip-proto-50 204 15:19:28.962327 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 60039:1480@0+) 15:19:28.962394 B.B.B.B > A.A.A.A: (frag 60039:44@1480) 15:19:29.003582 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 28411:1480@0+) 15:19:29.003650 B.B.B.B > A.A.A.A: (frag 28411:44@1480) 15:19:29.044684 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 56344:1480@0+) 15:19:29.044750 B.B.B.B > A.A.A.A: (frag 56344:44@1480) 15:19:29.063749 A.A.A.A > B.B.B.B: ip-proto-50 204 15:19:29.086139 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 64175:1480@0+) 15:19:29.086207 B.B.B.B > A.A.A.A: (frag 64175:44@1480) 15:19:29.128743 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 32580:1480@0+) 15:19:29.128809 B.B.B.B > A.A.A.A: (frag 32580:44@1480) 15:19:29.169049 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 55233:1480@0+) 15:19:29.169116 B.B.B.B > A.A.A.A: (frag 55233:44@1480) 15:19:29.210538 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 24250:1480@0+) 15:19:29.210605 B.B.B.B > A.A.A.A: (frag 24250:44@1480) 15:19:29.251771 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 64284:1480@0+) 15:19:29.251838 B.B.B.B > A.A.A.A: (frag 64284:44@1480) 15:19:29.292988 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 15716:1480@0+) 15:19:29.293055 B.B.B.B > A.A.A.A: (frag 15716:44@1480) 15:19:29.334187 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 42527:1480@0+) 15:19:29.334254 B.B.B.B > A.A.A.A: (frag 42527:44@1480) 15:19:29.380159 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 41459:1480@0+) 15:19:29.380225 B.B.B.B > A.A.A.A: (frag 41459:44@1480) 15:19:29.380328 B.B.B.B > A.A.A.A: ip-proto-50 68 15:19:30.335041 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 63704:1480@0+) 15:19:30.335107 B.B.B.B > A.A.A.A: (frag 63704:44@1480) 15:19:32.335848 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 45951:1480@0+) 15:19:32.335913 B.B.B.B > A.A.A.A: (frag 45951:44@1480) 15:19:36.338218 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 52615:1480@0+) 15:19:36.338284 B.B.B.B > A.A.A.A: (frag 52615:44@1480) 15:19:44.334750 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 61321:1480@0+) 15:19:44.334817 B.B.B.B > A.A.A.A: (frag 61321:44@1480) For grins, here are my SAs and ipsec flows (from A.A.A.A): cerberus# sysctl net.ipsec.setup net.ipsec.setup: IPsec Setup SPI = 00001001, Destination = A.A.A.A, Sproto = 50 established 15 seconds ago src = B.B.B.B, flags = 00000040, SAtype = 0 xform = encryption = authentication = OSrc = B.B.B.B ODst = A.A.A.A, TTL = 0 0 flows counted (use netstat -r for more information) Expirations: Currently 0 bytes processed Currently 0 packets processed (none) SPI = 00001000, Destination = B.B.B.B, Sproto = 50 established 15 seconds ago src = A.A.A.A, flags = 00000040, SAtype = 0 xform = encryption = authentication = OSrc = A.A.A.A ODst = B.B.B.B, TTL = 0 0 flows counted (use netstat -r for more information) Expirations: Currently 0 bytes processed Currently 0 packets processed (none) cerberus# netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire Encap: Source address/netmask Port Destination address/netmask Port Proto SA(Address/SPI/Proto) 0.0.0.0/255.255.255.255 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50 0.0.0.0/255.255.255.255 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50 172.16.0.0/255.255.0.0 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50 172.16.0.0/255.255.0.0 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50 A.A.A.A/255.255.255.255 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50 A.A.A.A/255.255.255.255 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message