Warning:
Trustix 2.2 - 2.4.32-1tr ( IPTables 1.2.11-8tr + Openswan 2.2.1-1tr )
have wrong MTU in need-frag ICMP using IPSEC tunnels and Masquerade,
sending out "need to fragment" on wrong interface!
Example with Tcpdump over public interface :
LAN
(192.168.0.x)<--->(192.168.0.254)[ETH0]<TSL>[ETH1](192.168.254.254)<--------IPSEC------->(192.168.254.1)[ETH0]<TSL>[ETH1](80.25.zz.yy)<---TCPDUMP--->(80.25.zz.254)ROUTER....internet....
23:58:42.474433 IP 194.183.xx.yy.22 > 80.25.zz.yy.3975: P
2729:2781(52) ack 1865 win 8576
23:58:42.579390 IP 194.183.xx.yy.22 > 80.25.zz.yy.3975: P
2781:2833(52) ack 1917 win 8576
23:58:42.581873 IP 80.25.zz.yy.3975 > 194.183.xx.yy.22: . ack 2833 win 63260
23:58:42.631323 IP 194.183.xx.yy.22 > 80.25.zz.yy.3975: .
2833:4293(1460) ack 1917 win 8576
23:58:42.631399 IP 80.25.zz.yy > 194.183.xx.yy: icmp 556: 80.25.zz.yy
unreachable - need to frag (mtu 1443)
23:58:42.714273 IP 194.183.xx.yy.22 > 80.25.zz.yy.3975: .
4293:5753(1460) ack 1917 win 8576
23:58:42.714336 IP 80.25.zz.yy > 194.183.xx.yy: icmp 556: 80.25.zz.yy
unreachable - need to frag (mtu 1443)
23:58:42.725496 IP 194.183.xx.yy.22 > 80.25.zz.yy.3975: P
5753:6313(560) ack 1917 win 8576
23:58:42.728617 IP 80.25.zz.yy.3975 > 194.183.xx.yy.22: . ack 2833 win
63260 <nop,nop,sack sack 1 {5753:6313} >
23:59:49.361173 IP 80.25.zz.yy.3975 > 194.183.xx.yy.22: F 1917:1917(0)
ack 2833 win 63260
23:59:49.777204 IP 80.25.zz.yy.3975 > 194.183.xx.yy.22: F 1917:1917(0)
ack 2833 win 63260
I have tried with smaller MTU in the /etc/ipsec.conf with the same problem.
Warning!
_______________________________________________
tsl-discuss mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-discuss
