On Wed, 14 Jan 2015, Eric Paris wrote:
I tried setting the mtu on the internal nic of the router to 1422. I figured that would force everyone on the LAN to back off. But I can still ping the router from the lan with packets bigger that 1422!
I assume those packets fragmented and got reassembled? The problem with IPsec and fragmentation is when the packet got encrypted too big, the intermediate routers cannot do anything. It can send an ICMP message but that can't be trusted and it won't make it back to the client.
I know that the mss-to-pmtu type suggestions in iptables rules won't help, because this is ICMP, not TCP. This is only about pmtu being busted. I think because ICMP packets are going the wrong way. If I capture packets on the server, on the other side of the internet, I see the ICMP unreachable with mss=1422 packets with source: router external interface destination: my client on the lan who isn't getting his packets
Did you disable send_redirects in sysctl.conf? The linux kernel gets very confused about this. It determines redirects based on incoming and outgoing interface without knowing that a packet got encrypted or decrypted. (I disabled these on your remote server but perhaps you didn't do that on your local end?) net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 Do a reboot for the default to take effect on all interfaces or run a for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/send_redirects Regardless, PMTU can't really be relied on with IPsec. You have to try and prevent it. Hence the iptables clamping suggestions in our FAQ for TCP.
So why are ICMP packets created on the router not going out the LAN interface and instead going out the tunnel to the server? How do I fix it? What do I have set up wrong?
# cat /etc/ipsec.d/eparis-vpn.conf conn tv authby=secret pfs=no auto=add rekey=no left=104.236.78.47 leftsubnet=0.0.0.0/0 right=%any rightsubnet=vhost:%priv,%no
using 0.0.0.0/0 with netkey/xfrm is dangerous. It actually steals local traffic!
# cat /etc/ipsec.d/eparis-vpn.conf conn tv authby=secret pfs=no auto=up rekey=no left=104.236.78.47 leftsubnet=0.0.0.0/0 right=%defaultroute ike-frag=yes
So once the tunnel is up EVERYTHING including LAN traffic is send over the tunnel. Which would include local lan ICMP messages. Prob not what you wanted? You need to add a passthrough connection, see: https://github.com/libreswan/libreswan/blob/master/docs/examples/hub-spoke.conf in your case something like this on your home router: conn netkey-exclude # your internal ip on the router left=192.168.a.b leftsubnet=192.168.0.0/16 right=0.0.0.0 rightsubnet=192.168.0.0/16 authby=never type=passthrough auto=route Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
