Date: Mon, 28 Jun 1999 10:54:46 -0700 (PDT) From: Steven Kehlet <kehlet@techfuel.com> To: Josef Karthauser <joe@pavilion.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) Message-ID: <Pine.LNX.4.10.9906281051080.781-100000@phoenix.techfuel.com> In-Reply-To: <19990628182551.T60952@pavilion.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks! for the reply. I tried just now turning down my mtu on both ends (to 1400) but the same thing happens. I'm wondering if changing the mtu on the interface is too late, i.e. the packet size reduction needs to be done earlier in the processing or something. I don't see any way to do this (though ipsecadm?) though. Steve On Mon, 28 Jun 1999, Josef Karthauser wrote: > Date: Mon, 28 Jun 1999 18:25:51 +0100 > From: Josef Karthauser <joe@pavilion.net> > To: Steven Kehlet <kehlet@techfuel.com> > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) > > I had a similar problem with an IPoverIP tunnel between two cisco routers. > You may need to reduce the MTU to 1500-ipsec packet overhead. In my case an > IPoverIP tunnel adds 14 bytes of information so I needed to set the MTU > to 1500-14. Under normal circumstances this shouldn't matter, but as it > turns out a lot of the internet is "broken" when it comes to ICMP _must_ > fragment packets. It seems that a fairly standard firewall configuration > is to filter these out! > > You may have some milege in this. > > Joe > > On Mon, Jun 28, 1999 at 10:07:06AM -0700, Steven Kehlet wrote: > > Hi, > > > > I'm trying to set up a VPN using IPSec tunnelling between two FreeBSD 3.1 boxes > > across the Internet. I'm using the IPSec for FreeBSD implementation from > > www.r4k.net. > > > > The setup looks okay, and the tunnelling seems to work great. Unfortunately > > the problem comes with large data transfers; I think there might be some sort > > of IP fragmentation problem. When I try to read a large mailbox with IMAP over > > the link, it connects but then it just hangs there with the other end sending > > me nothing but fragments (see tcpdump below). For some reason POP works fine, > > Netscape and web stuff doesn't work, and sometimes even doing a "man ipsecadm" > > or "ps -aux" (i.e. sudden burst of data) in a telnet session will cause it to > > hang. > > > > I've set up the SAs and flows okay; everything looks fine and I'm able to ping > > and telnet to and from boxes on non-routable IP ranges behind each box. That > > is, site A has 172.16/16 behind A.A.A.A, and site B has 172.17/16 behind > > B.B.B.B, and I can ping/telnet 172.17.X.X from 172.16.X.X no problem. > > > > Here's a tcpdump log on A.A.A.A while I'm trying to use IMAP from 172.16.X.X to > > B.B.B.B. Notice about half-way down all the sudden there's all this > > fragmentation happening, at which point my session never recovers. > > > > Can anyone offer any sort of explanation, offer tips for debugging, anything I > > can try, some way I can reduce the fragmentation (lower the mtu on my ethernet > > interface?), etc? Thanks! :-) :-) > > > > A.A.A.A# tcpdump -n host B.B.B.B > > tcpdump: listening on xl0 > > 15:19:23.517547 A.A.A.A > B.B.B.B: ip-proto-50 84 [tos 0x10] > > 15:19:23.580292 B.B.B.B > A.A.A.A: ip-proto-50 92 [tos 0x10] > > 15:19:23.593400 A.A.A.A > B.B.B.B: ip-proto-50 68 [tos 0x10] > > 15:19:23.601293 A.A.A.A > B.B.B.B: ip-proto-50 84 [tos 0x10] > > 15:19:23.654207 B.B.B.B > A.A.A.A: ip-proto-50 92 [tos 0x10] > > 15:19:23.673426 A.A.A.A > B.B.B.B: ip-proto-50 68 [tos 0x10] > > 15:19:28.368815 A.A.A.A > B.B.B.B: ip-proto-50 84 > > 15:19:28.399378 B.B.B.B > A.A.A.A: ip-proto-50 68 > > 15:19:28.400009 A.A.A.A > B.B.B.B: ip-proto-50 68 > > 15:19:28.441323 B.B.B.B > A.A.A.A: ip-proto-50 116 > > 15:19:28.447346 B.B.B.B > A.A.A.A: ip-proto-50 124 > > 15:19:28.448072 A.A.A.A > B.B.B.B: ip-proto-50 68 > > 15:19:28.448476 A.A.A.A > B.B.B.B: ip-proto-50 84 > > 15:19:28.481736 B.B.B.B > A.A.A.A: ip-proto-50 220 > > 15:19:28.484531 A.A.A.A > B.B.B.B: ip-proto-50 92 > > 15:19:28.513555 B.B.B.B > A.A.A.A: ip-proto-50 84 > > 15:19:28.533459 A.A.A.A > B.B.B.B: ip-proto-50 68 > > 15:19:28.552944 A.A.A.A > B.B.B.B: ip-proto-50 76 > > 15:19:28.583303 B.B.B.B > A.A.A.A: ip-proto-50 84 > > 15:19:28.584113 A.A.A.A > B.B.B.B: ip-proto-50 76 > > 15:19:28.619272 B.B.B.B > A.A.A.A: ip-proto-50 148 > > 15:19:28.623804 B.B.B.B > A.A.A.A: ip-proto-50 100 > > 15:19:28.624694 A.A.A.A > B.B.B.B: ip-proto-50 92 > > 15:19:28.684544 B.B.B.B > A.A.A.A: ip-proto-50 68 > > 15:19:28.705040 B.B.B.B > A.A.A.A: ip-proto-50 428 > > 15:19:28.707171 A.A.A.A > B.B.B.B: ip-proto-50 92 > > 15:19:28.747522 B.B.B.B > A.A.A.A: ip-proto-50 116 > > 15:19:28.749721 A.A.A.A > B.B.B.B: ip-proto-50 92 > > 15:19:28.806969 B.B.B.B > A.A.A.A: ip-proto-50 564 > > 15:19:28.809320 A.A.A.A > B.B.B.B: ip-proto-50 92 > > 15:19:28.863102 B.B.B.B > A.A.A.A: ip-proto-50 580 > > 15:19:28.865950 A.A.A.A > B.B.B.B: ip-proto-50 204 > > 15:19:28.962327 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 60039:1480@0+) > > 15:19:28.962394 B.B.B.B > A.A.A.A: (frag 60039:44@1480) > > 15:19:29.003582 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 28411:1480@0+) > > 15:19:29.003650 B.B.B.B > A.A.A.A: (frag 28411:44@1480) > > 15:19:29.044684 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 56344:1480@0+) > > 15:19:29.044750 B.B.B.B > A.A.A.A: (frag 56344:44@1480) > > 15:19:29.063749 A.A.A.A > B.B.B.B: ip-proto-50 204 > > 15:19:29.086139 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 64175:1480@0+) > > 15:19:29.086207 B.B.B.B > A.A.A.A: (frag 64175:44@1480) > > 15:19:29.128743 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 32580:1480@0+) > > 15:19:29.128809 B.B.B.B > A.A.A.A: (frag 32580:44@1480) > > 15:19:29.169049 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 55233:1480@0+) > > 15:19:29.169116 B.B.B.B > A.A.A.A: (frag 55233:44@1480) > > 15:19:29.210538 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 24250:1480@0+) > > 15:19:29.210605 B.B.B.B > A.A.A.A: (frag 24250:44@1480) > > 15:19:29.251771 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 64284:1480@0+) > > 15:19:29.251838 B.B.B.B > A.A.A.A: (frag 64284:44@1480) > > 15:19:29.292988 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 15716:1480@0+) > > 15:19:29.293055 B.B.B.B > A.A.A.A: (frag 15716:44@1480) > > 15:19:29.334187 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 42527:1480@0+) > > 15:19:29.334254 B.B.B.B > A.A.A.A: (frag 42527:44@1480) > > 15:19:29.380159 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 41459:1480@0+) > > 15:19:29.380225 B.B.B.B > A.A.A.A: (frag 41459:44@1480) > > 15:19:29.380328 B.B.B.B > A.A.A.A: ip-proto-50 68 > > 15:19:30.335041 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 63704:1480@0+) > > 15:19:30.335107 B.B.B.B > A.A.A.A: (frag 63704:44@1480) > > 15:19:32.335848 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 45951:1480@0+) > > 15:19:32.335913 B.B.B.B > A.A.A.A: (frag 45951:44@1480) > > 15:19:36.338218 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 52615:1480@0+) > > 15:19:36.338284 B.B.B.B > A.A.A.A: (frag 52615:44@1480) > > 15:19:44.334750 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 61321:1480@0+) > > 15:19:44.334817 B.B.B.B > A.A.A.A: (frag 61321:44@1480) > > > > > > > > For grins, here are my SAs and ipsec flows (from A.A.A.A): > > > > cerberus# sysctl net.ipsec.setup > > net.ipsec.setup: > > IPsec Setup > > > > SPI = 00001001, Destination = A.A.A.A, Sproto = 50 > > established 15 seconds ago > > src = B.B.B.B, flags = 00000040, SAtype = 0 > > xform = <Encryption + Authentication + Replay Protection> > > encryption = <Tripple DES (3DES)> > > authentication = <HMAC-SHA1-96> > > OSrc = B.B.B.B ODst = A.A.A.A, TTL = 0 > > 0 flows counted (use netstat -r for more information) > > Expirations: > > Currently 0 bytes processed > > Currently 0 packets processed > > (none) > > SPI = 00001000, Destination = B.B.B.B, Sproto = 50 > > established 15 seconds ago > > src = A.A.A.A, flags = 00000040, SAtype = 0 > > xform = <Encryption + Authentication + Replay Protection> > > encryption = <Tripple DES (3DES)> > > authentication = <HMAC-SHA1-96> > > OSrc = A.A.A.A ODst = B.B.B.B, TTL = 0 > > 0 flows counted (use netstat -r for more information) > > Expirations: > > Currently 0 bytes processed > > Currently 0 packets processed > > (none) > > > > > > cerberus# netstat -rn > > Routing tables > > > > Internet: > > Destination Gateway Flags Refs Use Netif Expire > > > > <many routes deleted> > > > > Encap: > > Source address/netmask Port Destination address/netmask Port Proto SA(Address/SPI/Proto) > > 0.0.0.0/255.255.255.255 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50 > > 0.0.0.0/255.255.255.255 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50 > > 172.16.0.0/255.255.0.0 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50 > > 172.16.0.0/255.255.0.0 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50 > > A.A.A.A/255.255.255.255 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50 > > A.A.A.A/255.255.255.255 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50 > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.10.9906281051080.781-100000>