On Jul 5, 2013, at 11:51 AM, Daniel Pocock <[email protected]> wrote:
> > > On 05/07/13 17:08, Tom Eastep wrote: >> On 07/05/2013 02:55 AM, Daniel Pocock wrote: >>> >>> I've had problems setting up IPsec sessions using certificates >>> >>> Basically, the IKEv2 packets are large UDP packets and they are fragmented >>> >>> I believe that using ECDSA instead of RSA certificates reduces the size >>> of these packets, but ECDSA is not universally supported. I'd like to >>> understand whether Shorewall can and should support these fragmented UDP >>> flows. >>> >>> I found a post from 3 December suggesting that IPv6 fragmentation is >>> troublesome without a recent kernel so I'm just looking at IPv4 for now. >>> >>> Looking at the problem with tcpdump, I typically see UDP packets sent >>> with 1644 bytes, slightly bigger than the MTU. >>> >>> Are there any specific rules or shorewall.conf settings that need to be >>> added/tweaked to make this work? >>> >> >> There is nothing in Shorewall having to do with over-sized UDP packets. >> > > The reply from strongSwan-users suggest that firewalls drop the second > fragment: > https://lists.strongswan.org/pipermail/users/2013-July/009434.html When connection tracking is enabled in Netfilter, received fragments are assembled into a single packet that is then passed through Netfilter. It may need re-fragmenting when transmitted. This is necessary because continuation fragments don't contain l3 headers and hence cannot be associated with a connection. > > This is your comment that I found about IPv6 UDP fragmentation with > netfilter: > http://sourceforge.net/mailarchive/forum.php?thread_name=f1856b2e7fe64ea9a38c645f0c7e9ea1%40davenport.net.nz&forum_name=shorewall-users You have looked at the outbound traffic from the firewall with tcpdump to prove that the firewall is dropping these packets? -Tom Tom Eastep \ Nothing is foolproof to a Shoreline, \ sufficiently talented fool Washington, USA \ http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
