From owner-freebsd-current@FreeBSD.ORG Wed Apr 20 11:37:20 2005 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77E2316A4E4 for ; Wed, 20 Apr 2005 11:37:20 +0000 (GMT) Received: from mail.sorbs.net (mail.sorbs.net [203.15.51.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4D1C43D55 for ; Wed, 20 Apr 2005 11:37:18 +0000 (GMT) (envelope-from matthew@uq.edu.au) Received: from [10.200.254.98] by nemesis.sorbs.net (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) with ESMTPSA id <0IF800M0LTMSKC@nemesis.sorbs.net> for freebsd-current@freebsd.org; Wed, 20 Apr 2005 21:37:41 +1000 (EST) Date: Wed, 20 Apr 2005 21:36:01 +1000 From: Matthew Sullivan In-reply-to: <20050420084413.GA27304@walton.maths.tcd.ie> To: freebsd-current@freebsd.org Message-id: <42663EA1.3020409@uq.edu.au> MIME-version: 1.0 Content-type: multipart/signed; boundary=------------ms040403020704030400060305; micalg=sha1; protocol="application/x-pkcs7-signature" X-Accept-Language: en User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041231 References: <426426AE.2060406@uq.edu.au> <20050420084413.GA27304@walton.maths.tcd.ie> Subject: Re: DF (Don't frag) issues X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Apr 2005 11:37:20 -0000 This is a cryptographically signed message in MIME format. --------------ms040403020704030400060305 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit I'm going to post this back to the list as Marko was also helping me get to the bottom of it... David Malone wrote: >On Tue, Apr 19, 2005 at 07:29:18AM +1000, Matthew Sullivan wrote: > > >>Any reason why FreeBSD 5.2.1+ and 5.3-p9 set DF on all packets? >> >> > >It is usual to do this to do path MTU discovery with TCP. I don't >know what the situation with the packets that the VPN sends is. > > > >>example with dominator [203.15.51.36] MTU at 1500, vpn server is at >>203.15.51.36 (all interfaces are MTU 1500 except gif0 which is 1280), >>other end of the VPN has interfaces at MTU 1500 which serices the >>10.200.254.0 network (wireless).... >> >>23:36:23.577880 203.15.51.36.24 > 10.200.254.98.33118: . 2315:3763(1448) >>ack 2537 win 33304 (DF) [tos 0x10] >>23:36:23.578406 203.15.51.61 > 203.15.51.36: icmp: 10.200.254.98 >>unreachable - need to frag (DF) >> >> > >It looks like 203.15.51.61 is asking the vpn server to fragment >some packet. I guess that the packet is a encrypted version of the >TCP packet above? I guess that means that either the vpn server >needs to not set the DF bit, or it needs to translate the ICMP >message into something that it can return to the TCP sender. How >to do that probably depends on how you configure the vpn stuff. The >gif man page says that the DF bit should not be set on the packets >that it generates. > > IP addresses involved are: 203.15.51.58 is the webserver (desperado.sorbs.net) 203.15.51.36 is the Old DB server (dominator.sorbs.net) 203.15.51.61 is the VPN terminator (stealth.sorbs.net) 10.200.254.2 is the other end of the VPN (oblivion.isux.com) 10.200.254.98 is my laptop running Slackware Linux, for the dump below I used wget to do a simple GET / FreeBSD oblivion.isux.com 5.3-RELEASE-p8 FreeBSD 5.3-RELEASE-p8 #4: Sun Apr 17 09:55:22 EST 2005 root@oblivion.isux.com:/usr/obj/usr/src/sys/OBLIVION i386 FreeBSD stealth.sorbs.net 5.3-RELEASE-p8 FreeBSD 5.3-RELEASE-p8 #1: Fri Apr 15 15:31:30 EST 2005 root@stealth.sorbs.net:/usr/obj/usr/src/sys/STEALTH i386 FreeBSD desperado.sorbs.net 5.3-RELEASE-p9 FreeBSD 5.3-RELEASE-p9 #3: Fri Apr 15 15:29:29 EST 2005 root@desperado.sorbs.net:/usr/obj/usr/src/sys/DESPERADO amd64 Network is like this (view with fixed font): 10.200.254.98 ^ | wireless net | | 10.200.254.2 192.168.1.2 -----> wired LAN ----- 138.130.dynamic | | ^ 192.168.1.0/24 default | | | \|/ VPN _______|_____|___ | INTERNET | _____________|___ | | /|\ VPN | | 203.101.254.30 <----------- ^ | | VPN | | 203.101.254.254 /|\ 203.15.51.33 | ^ VPN | | default | route VPN Server | 203.101.254.252 | 203.15.51.61 | | ^ -----203.15.51.32/27------------- | | | | | | | 203.15.51.58 203.15.51.36 | | | | | | | -->Route for 10.200.254.0/24----------- and 192.168.1.0/24 I hope that makes sense ;-) Basically the current default route is the old firewall, it is being replaced by the server that is also the VPN server. The VPN terminator (stealth.sorbs.net) is going to be a firewall, however it isn't a firewall yet, therefor the current rules are a simple: pass in from any to any pass out from any to any (ipf enabled, ipfw not compiled in, pf not enabled) Follows is a tcpdump from the VPN terminator: root@stealth:~# tcpdump -i dc0 -n host 203.15.51.58 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on dc0, link-type EN10MB (Ethernet), capture size 96 bytes 21:29:41.026070 arp who-has 203.15.51.58 tell 203.15.51.36 21:29:46.454576 IP 10.200.254.98.33080 > 203.15.51.58.80: SWE 2722075077:2722075077(0) win 5840 21:29:46.454705 IP 203.15.51.58.80 > 10.200.254.98.33080: S 1200777202:1200777202(0) ack 2722075078 win 65535 21:29:46.495554 IP 10.200.254.98.33080 > 203.15.51.58.80: . ack 1 win 5840 21:29:50.721228 IP 10.200.254.98.33080 > 203.15.51.58.80: P 1:17(16) ack 1 win 5840 21:29:50.820112 IP 203.15.51.58.80 > 10.200.254.98.33080: . ack 17 win 33304 21:29:50.863489 IP 10.200.254.98.33080 > 203.15.51.58.80: P 17:21(4) ack 1 win 5840 21:29:50.865526 IP 203.15.51.58.80 > 10.200.254.98.33080: . 1:1449(1448) ack 21 win 33304 21:29:50.865538 IP 203.15.51.58.80 > 10.200.254.98.33080: P 1449:1880(431) ack 21 win 33304 21:29:50.865547 IP 203.15.51.58.80 > 10.200.254.98.33080: F 1880:1880(0) ack 21 win 33304 21:29:50.866097 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 unreachable - need to frag 21:29:50.929844 IP 10.200.254.98.33080 > 203.15.51.58.80: . ack 1 win 5840 21:29:50.935786 IP 10.200.254.98.33080 > 203.15.51.58.80: . ack 1 win 5840 21:29:57.175022 IP 203.15.51.58.80 > 10.200.254.98.33080: . 1:1449(1448) ack 21 win 33304 21:29:57.175148 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 unreachable - need to frag 21:30:09.595314 IP 203.15.51.58.80 > 10.200.254.98.33080: . 1:1449(1448) ack 21 win 33304 21:30:09.595498 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 unreachable - need to frag 21:30:17.561779 IP 203.15.51.58.80 > 10.200.254.98.33072: . 4283830444:4283831892(1448) ack 2167167726 win 33304 21:30:17.561907 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 unreachable - need to frag 21:30:24.545302 IP 10.200.254.98.33080 > 203.15.51.58.80: P 21:23(2) ack 1 win 5840 21:30:24.545430 IP 203.15.51.58.80 > 10.200.254.98.33080: R 1200777203:1200777203(0) win 0 21:30:37.307121 IP 203.15.51.58.80 > 10.200.254.98.33073: . 3057749166:3057750614(1448) ack 2221689087 win 33304 21:30:37.307248 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 unreachable - need to frag ^C 25 packets captured 201 packets received by filter 0 packets dropped by kernel If you need it the interfaces on stealth are configured as follows: fxp0: flags=8843 mtu 1500 options=8 inet 203.101.254.252 netmask 0xffffff00 broadcast 203.101.254.255 inet6 fe80::290:27ff:fec2:4977%fxp0 prefixlen 64 scopeid 0x1 ether 00:90:27:c2:49:77 media: Ethernet autoselect (100baseTX ) status: active dc0: flags=108843 mtu 1500 options=8 inet 203.15.51.61 netmask 0xffffffe0 broadcast 203.15.51.63 inet6 fe80::2a0:cff:fec0:cc23%dc0 prefixlen 64 scopeid 0x2 ether 00:a0:0c:c0:cc:23 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 gif0: flags=8051 mtu 1280 tunnel inet 203.101.254.252 --> 138.130.223.244 inet 203.15.51.61 --> 192.168.1.2 netmask 0xffffff00 inet6 fe80::290:27ff:fec2:4977%gif0 prefixlen 64 scopeid 0x5 IPv4 Routing table: Destination Gateway Flags Refs Use Netif Expire default 203.101.254.30 UGS 7 486813 fxp0 10.200.254/24 192.168.1.2 UGS 0 1239 gif0 127.0.0.1 127.0.0.1 UH 0 97 lo0 192.168.1 192.168.1.2 UGS 0 12666 gif0 192.168.1.2 203.15.51.61 UH 2 138 gif0 203.15.51.32/27 link#2 UC 0 0 dc0 203.15.51.33 00:00:e8:3d:c7:f2 UHLW 0 10887 dc0 1191 203.15.51.35 08:00:20:b2:58:e6 UHLW 0 6 dc0 802 203.15.51.36 00:0f:20:30:cd:f0 UHLW 0 14290 dc0 1064 203.15.51.38 02:00:06:e3:44:9a UHLW 0 48 dc0 690 203.15.51.41 02:00:06:e3:44:9a UHLW 0 48 dc0 154 203.15.51.42 02:00:06:e3:44:9a UHLW 0 12 dc0 692 203.15.51.51 08:00:20:b2:58:e6 UHLW 0 0 dc0 776 203.15.51.58 00:09:5b:09:de:2a UHLW 0 32 dc0 872 203.15.51.62 08:00:20:b2:58:e6 UHLW 0 216 dc0 137 203.101.254 link#1 UC 0 0 fxp0 203.101.254.30 00:d0:05:15:0c:0a UHLW 1 0 fxp0 1198 Sorry if it's too much info, if there is anything missing you need, just mail... Regards, -- Matthew Sullivan Specialist Systems Programmer Information Technology Services The University of Queensland --------------ms040403020704030400060305 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIG7DCC A3IwggJaoAMCAQICASowDQYJKoZIhvcNAQEEBQAwgaMxCzAJBgNVBAYTAkFVMRMwEQYDVQQI EwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTElMCMGA1UEChMcVGhlIFVuaXZlcnNp dHkgb2YgUXVlZW5zbGFuZDEoMCYGA1UECxMfSW5mb3JtYXRpb24gVGVjaG5vbG9neSBTZXJ2 aWNlczEbMBkGA1UEAxMSQ2VydGlmaWNhdGUgU2VydmVyMB4XDTA0MDEyMTIzMzYyMVoXDTA2 MDEyMTIzMzYyMVowgbIxCzAJBgNVBAYTAkFVMSUwIwYDVQQKExxUaGUgVW5pdmVyc2l0eSBv ZiBRdWVlbnNsYW5kMScwJQYDVQQLEx5JbmZvcm1hdGlvbiBUZWNub2xvZ3kgU2VydmljZXMx FjAUBgoJkiaJk/IsZAEBEwZjY21hdHQxGTAXBgNVBAMTEE1hdHRoZXcgU3VsbGl2YW4xIDAe BgkqhkiG9w0BCQEWEW1hdHRoZXdAdXEuZWR1LmF1MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB AJsUfrw/QUqKIzDverWc2F4GFFRZmIeO+bAl+7BM6x/9frMzOtygx4QGb4oQwtOE8Sda1aIs v+yJF3Di9EuUyvMCAwEAAaNoMGYwDgYDVR0PAQH/BAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIF oDAfBgNVHSMEGDAWgBQmqtoyueiWTYZBinvsnzeOWLtUuzAgBgNVHREEGTAXgRVtYXR0aGV3 QGl0cy51cS5lZHUuYXUwDQYJKoZIhvcNAQEEBQADggEBAF2gZrkqZsZlHd4K/+yBN6qrpD61 hctDf7/Eg4jk6DMknEs6nvHMFUMZ4SXvkqPLnHBygTARKAs7qBSLd7mUUBOOQEgk6ovQVY6S 1CDSt3P9O6wjG0K1igtk8v6u7lkQ8p2STXqrOePVINdaucUgBO/IpeUtt9ATl1qvPTWyM/fz oUZsIKeYjNQVEQsuimrZjdbIAFxdl1fggSngUv64wBn8wCssGrPZIZA2lpBBEW1wejoWrDOH IIr+SspGd0i8MovDTMRSvgTERLki17FU/ANilcrSXiODKeIvpXhnQqVScnsoMSZmBmN2QIoG SnBjNK5mYxx5E3v20VOwtP1hVdEwggNyMIICWqADAgECAgEqMA0GCSqGSIb3DQEBBAUAMIGj MQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUx JTAjBgNVBAoTHFRoZSBVbml2ZXJzaXR5IG9mIFF1ZWVuc2xhbmQxKDAmBgNVBAsTH0luZm9y bWF0aW9uIFRlY2hub2xvZ3kgU2VydmljZXMxGzAZBgNVBAMTEkNlcnRpZmljYXRlIFNlcnZl cjAeFw0wNDAxMjEyMzM2MjFaFw0wNjAxMjEyMzM2MjFaMIGyMQswCQYDVQQGEwJBVTElMCMG A1UEChMcVGhlIFVuaXZlcnNpdHkgb2YgUXVlZW5zbGFuZDEnMCUGA1UECxMeSW5mb3JtYXRp b24gVGVjbm9sb2d5IFNlcnZpY2VzMRYwFAYKCZImiZPyLGQBARMGY2NtYXR0MRkwFwYDVQQD ExBNYXR0aGV3IFN1bGxpdmFuMSAwHgYJKoZIhvcNAQkBFhFtYXR0aGV3QHVxLmVkdS5hdTBc MA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCbFH68P0FKiiMw73q1nNheBhRUWZiHjvmwJfuwTOsf /X6zMzrcoMeEBm+KEMLThPEnWtWiLL/siRdw4vRLlMrzAgMBAAGjaDBmMA4GA1UdDwEB/wQE AwIF4DARBglghkgBhvhCAQEEBAMCBaAwHwYDVR0jBBgwFoAUJqraMrnolk2GQYp77J83jli7 VLswIAYDVR0RBBkwF4EVbWF0dGhld0BpdHMudXEuZWR1LmF1MA0GCSqGSIb3DQEBBAUAA4IB AQBdoGa5KmbGZR3eCv/sgTeqq6Q+tYXLQ3+/xIOI5OgzJJxLOp7xzBVDGeEl75Kjy5xwcoEw ESgLO6gUi3e5lFATjkBIJOqL0FWOktQg0rdz/TusIxtCtYoLZPL+ru5ZEPKdkk16qznj1SDX WrnFIATvyKXlLbfQE5darz01sjP386FGbCCnmIzUFRELLopq2Y3WyABcXZdX4IEp4FL+uMAZ /MArLBqz2SGQNpaQQRFtcHo6FqwzhyCK/krKRndIvDKLw0zEUr4ExES5ItexVPwDYpXK0l4j gyniL6V4Z0KlUnJ7KDEmZgZjdkCKBkpwYzSuZmMceRN79tFTsLT9YVXRMYIDQDCCAzwCAQEw gakwgaMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlz YmFuZTElMCMGA1UEChMcVGhlIFVuaXZlcnNpdHkgb2YgUXVlZW5zbGFuZDEoMCYGA1UECxMf SW5mb3JtYXRpb24gVGVjaG5vbG9neSBTZXJ2aWNlczEbMBkGA1UEAxMSQ2VydGlmaWNhdGUg U2VydmVyAgEqMAkGBSsOAwIaBQCgggItMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ KoZIhvcNAQkFMQ8XDTA1MDQyMDExMzYwMVowIwYJKoZIhvcNAQkEMRYEFLYbYUKr41faDSLk QYIBqq5KIeRFMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCA MA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG6BgkrBgEEAYI3EAQx gawwgakwgaMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhC cmlzYmFuZTElMCMGA1UEChMcVGhlIFVuaXZlcnNpdHkgb2YgUXVlZW5zbGFuZDEoMCYGA1UE CxMfSW5mb3JtYXRpb24gVGVjaG5vbG9neSBTZXJ2aWNlczEbMBkGA1UEAxMSQ2VydGlmaWNh dGUgU2VydmVyAgEqMIG8BgsqhkiG9w0BCRACCzGBrKCBqTCBozELMAkGA1UEBhMCQVUxEzAR BgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMSUwIwYDVQQKExxUaGUgVW5p dmVyc2l0eSBvZiBRdWVlbnNsYW5kMSgwJgYDVQQLEx9JbmZvcm1hdGlvbiBUZWNobm9sb2d5 IFNlcnZpY2VzMRswGQYDVQQDExJDZXJ0aWZpY2F0ZSBTZXJ2ZXICASowDQYJKoZIhvcNAQEB BQAEQHTN5T2dkP0H+C78so3XroWaTH5tJmb4viO+PZU/PltdwMoUtGvrZgAY0ooMkNiezUOP iOHAKQajVz6ziKGV994AAAAAAAA= --------------ms040403020704030400060305--