Matthew Closson wrote:
On Mon, 24 Jul 2006, Heinrich Rebehn wrote:
Hi list,
I am running into a strange problem with IPSec, MTU? fragmentation?
which i am unable to resolve.
My Setup:
@home i have one PC which connects to our institute network with
IPSec. The PC connects to the internet via a DSL modem using
Linux/PPPoE or Windows XP/SP2. This has been running fine for years now.
Last week i bought a Netgear WTG624V3 WLAN router in order to allow
our notebook to connect to the internet too.
This router is now connected between the PC and the DSL modem and does
the job of bringing up the internet connection with PPPoE.
IPSec from my PC still works, but the symptoms are as follows:
- The tunnel is brought up and i can use it to ssh to our institute's
firewall/ipsec gateway. On the gateway (OpenBSD 3.8), i can work in
the shell as long as i want, but as soon as i do a "ls -lR /" or
something else that produces large output, the connection is stalled.
However,the tunnel is still usable, i can do a 2nd ssh and continue
working.
This leads me to the conclusion that it cannot be a rekeying issue.
Under the second login, i can see both connections:
[EMAIL PROTECTED] [~]# netstat -anptcp | grep 192.168.1.2
tcp 0 48 134.102.176.250.22 192.168.1.2.40010 ESTABLISHED
tcp 0 16304 134.102.176.250.22 192.168.1.2.40009 ESTABLISHED
All MTUs (PC, WLAN router, firewall) are set to 1500.
I played with max-mss in pf.conf, as was suggested on the misc@ ML:
scrub in on enc0 all max-mss 1318
but it did not help.
Parallel to the "ls -lR /" mentioned above, i did a tcpdump on the
firewall's external if, which can be found at:
http://www.ant.uni-bremen.de/~rebehn/vlan1.dump
The dump shows that fragmentation does occur.
The same symptom can also be observed when connecting to our www
server behind the firewall, very small pages are displayed, bigger
ones get stalled.
Can anyone help me on this? I am not familiar with the internals of
TCP/IP, especially MTUs and fragmentation.
If you need isakmpd.conf, pf.conf or anything else, please let me know.
Thanks for any help,
Heinrich Rebehn
University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -
Phone : +49/421/218-4664
Fax : -3341
http://archives.neohapsis.com/archives/openbsd/2006-06/1666.html
Thanks to all who replied, but i am still having the problem. While i
will be looking at the MTU's on the path, can someone help me understand
what what's up in the above mentioned dump at
http://www.ant.uni-bremen.de/~rebehn/vlan1.dump ?
134.102.176.250 > 213.172.119.236: icmp: 134.102.176.250 protocol 4
unreachable
What "does protocol 4 unreachable" mean? According to /etc/protocols, 4
is "IP encapsulated in IP (officially ``IP'')" ???
As one can see at the end of the dump, fragmentation does occur. Is this
absolutely lethal for IPSec?
--Heinrich
