Site Navigation

Date:      Mon, 28 Jun 1999 18:25:51 +0100
From:      Josef Karthauser <joe@pavilion.net>
To:        Steven Kehlet <kehlet@techfuel.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: having problems with IPSec VPN using FreeBSD -- help please! :-)
Message-ID:  <19990628182551.T60952@pavilion.net>
In-Reply-To: <Pine.LNX.4.10.9906280937480.781-100000@phoenix.techfuel.com>; from Steven Kehlet on Mon, Jun 28, 1999 at 10:07:06AM -0700
References:  <Pine.LNX.4.10.9906280937480.781-100000@phoenix.techfuel.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

I had a similar problem with an IPoverIP tunnel between two cisco routers.
You may need to reduce the MTU to 1500-ipsec packet overhead.  In my case an
IPoverIP tunnel adds 14 bytes of information so I needed to set the MTU
to 1500-14.  Under normal circumstances this shouldn't matter, but as it
turns out a lot of the internet is "broken" when it comes to ICMP _must_
fragment packets.  It seems that a fairly standard firewall configuration
is to filter these out!

You may have some milege in this.

Joe

On Mon, Jun 28, 1999 at 10:07:06AM -0700, Steven Kehlet wrote:
> Hi,
> 
> I'm trying to set up a VPN using IPSec tunnelling between two FreeBSD 3.1 boxes
> across the Internet.  I'm using the IPSec for FreeBSD implementation from
> www.r4k.net.  
> 
> The setup looks okay, and the tunnelling seems to work great.  Unfortunately
> the problem comes with large data transfers; I think there might be some sort
> of IP fragmentation problem.  When I try to read a large mailbox with IMAP over
> the link, it connects but then it just hangs there with the other end sending
> me nothing but fragments (see tcpdump below).  For some reason POP works fine,
> Netscape and web stuff doesn't work, and sometimes even doing a "man ipsecadm"
> or "ps -aux" (i.e. sudden burst of data) in a telnet session will cause it to
> hang.
> 
> I've set up the SAs and flows okay; everything looks fine and I'm able to ping
> and telnet to and from boxes on non-routable IP ranges behind each box.  That
> is, site A has 172.16/16 behind A.A.A.A, and site B has 172.17/16 behind
> B.B.B.B, and I can ping/telnet 172.17.X.X from 172.16.X.X no problem.
> 
> Here's a tcpdump log on A.A.A.A while I'm trying to use IMAP from 172.16.X.X to
> B.B.B.B.  Notice about half-way down all the sudden there's all this
> fragmentation happening, at which point my session never recovers.
> 
> Can anyone offer any sort of explanation, offer tips for debugging, anything I
> can try, some way I can reduce the fragmentation (lower the mtu on my ethernet
> interface?), etc?  Thanks!  :-) :-)
> 
>     A.A.A.A# tcpdump -n host B.B.B.B
>     tcpdump: listening on xl0
>     15:19:23.517547 A.A.A.A > B.B.B.B: ip-proto-50 84 [tos 0x10]
>     15:19:23.580292 B.B.B.B > A.A.A.A: ip-proto-50 92 [tos 0x10]
>     15:19:23.593400 A.A.A.A > B.B.B.B: ip-proto-50 68 [tos 0x10]
>     15:19:23.601293 A.A.A.A > B.B.B.B: ip-proto-50 84 [tos 0x10]
>     15:19:23.654207 B.B.B.B > A.A.A.A: ip-proto-50 92 [tos 0x10]
>     15:19:23.673426 A.A.A.A > B.B.B.B: ip-proto-50 68 [tos 0x10]
>     15:19:28.368815 A.A.A.A > B.B.B.B: ip-proto-50 84
>     15:19:28.399378 B.B.B.B > A.A.A.A: ip-proto-50 68
>     15:19:28.400009 A.A.A.A > B.B.B.B: ip-proto-50 68
>     15:19:28.441323 B.B.B.B > A.A.A.A: ip-proto-50 116
>     15:19:28.447346 B.B.B.B > A.A.A.A: ip-proto-50 124
>     15:19:28.448072 A.A.A.A > B.B.B.B: ip-proto-50 68
>     15:19:28.448476 A.A.A.A > B.B.B.B: ip-proto-50 84
>     15:19:28.481736 B.B.B.B > A.A.A.A: ip-proto-50 220
>     15:19:28.484531 A.A.A.A > B.B.B.B: ip-proto-50 92
>     15:19:28.513555 B.B.B.B > A.A.A.A: ip-proto-50 84
>     15:19:28.533459 A.A.A.A > B.B.B.B: ip-proto-50 68
>     15:19:28.552944 A.A.A.A > B.B.B.B: ip-proto-50 76
>     15:19:28.583303 B.B.B.B > A.A.A.A: ip-proto-50 84
>     15:19:28.584113 A.A.A.A > B.B.B.B: ip-proto-50 76
>     15:19:28.619272 B.B.B.B > A.A.A.A: ip-proto-50 148
>     15:19:28.623804 B.B.B.B > A.A.A.A: ip-proto-50 100
>     15:19:28.624694 A.A.A.A > B.B.B.B: ip-proto-50 92
>     15:19:28.684544 B.B.B.B > A.A.A.A: ip-proto-50 68
>     15:19:28.705040 B.B.B.B > A.A.A.A: ip-proto-50 428
>     15:19:28.707171 A.A.A.A > B.B.B.B: ip-proto-50 92
>     15:19:28.747522 B.B.B.B > A.A.A.A: ip-proto-50 116
>     15:19:28.749721 A.A.A.A > B.B.B.B: ip-proto-50 92
>     15:19:28.806969 B.B.B.B > A.A.A.A: ip-proto-50 564
>     15:19:28.809320 A.A.A.A > B.B.B.B: ip-proto-50 92
>     15:19:28.863102 B.B.B.B > A.A.A.A: ip-proto-50 580
>     15:19:28.865950 A.A.A.A > B.B.B.B: ip-proto-50 204
>     15:19:28.962327 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 60039:1480@0+)
>     15:19:28.962394 B.B.B.B > A.A.A.A: (frag 60039:44@1480)
>     15:19:29.003582 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 28411:1480@0+)
>     15:19:29.003650 B.B.B.B > A.A.A.A: (frag 28411:44@1480)
>     15:19:29.044684 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 56344:1480@0+)
>     15:19:29.044750 B.B.B.B > A.A.A.A: (frag 56344:44@1480)
>     15:19:29.063749 A.A.A.A > B.B.B.B: ip-proto-50 204
>     15:19:29.086139 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 64175:1480@0+)
>     15:19:29.086207 B.B.B.B > A.A.A.A: (frag 64175:44@1480)
>     15:19:29.128743 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 32580:1480@0+)
>     15:19:29.128809 B.B.B.B > A.A.A.A: (frag 32580:44@1480)
>     15:19:29.169049 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 55233:1480@0+)
>     15:19:29.169116 B.B.B.B > A.A.A.A: (frag 55233:44@1480)
>     15:19:29.210538 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 24250:1480@0+)
>     15:19:29.210605 B.B.B.B > A.A.A.A: (frag 24250:44@1480)
>     15:19:29.251771 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 64284:1480@0+)
>     15:19:29.251838 B.B.B.B > A.A.A.A: (frag 64284:44@1480)
>     15:19:29.292988 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 15716:1480@0+)
>     15:19:29.293055 B.B.B.B > A.A.A.A: (frag 15716:44@1480)
>     15:19:29.334187 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 42527:1480@0+)
>     15:19:29.334254 B.B.B.B > A.A.A.A: (frag 42527:44@1480)
>     15:19:29.380159 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 41459:1480@0+)
>     15:19:29.380225 B.B.B.B > A.A.A.A: (frag 41459:44@1480)
>     15:19:29.380328 B.B.B.B > A.A.A.A: ip-proto-50 68
>     15:19:30.335041 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 63704:1480@0+)
>     15:19:30.335107 B.B.B.B > A.A.A.A: (frag 63704:44@1480)
>     15:19:32.335848 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 45951:1480@0+)
>     15:19:32.335913 B.B.B.B > A.A.A.A: (frag 45951:44@1480)
>     15:19:36.338218 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 52615:1480@0+)
>     15:19:36.338284 B.B.B.B > A.A.A.A: (frag 52615:44@1480)
>     15:19:44.334750 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 61321:1480@0+)
>     15:19:44.334817 B.B.B.B > A.A.A.A: (frag 61321:44@1480)
>     
> 
> 
> For grins, here are my SAs and ipsec flows (from A.A.A.A):
> 
>     cerberus# sysctl net.ipsec.setup
>     net.ipsec.setup: 
>      IPsec Setup
>     
>     SPI = 00001001, Destination = A.A.A.A, Sproto = 50
>             established 15 seconds ago
>             src = B.B.B.B, flags = 00000040, SAtype = 0
>             xform = <Encryption + Authentication + Replay Protection>
>                     encryption = <Tripple DES (3DES)>
>                     authentication = <HMAC-SHA1-96>
>             OSrc = B.B.B.B ODst = A.A.A.A, TTL = 0
>             0 flows counted (use netstat -r for  more information)
>             Expirations:
>                     Currently 0 bytes processed
>                     Currently 0 packets processed
>                     (none)
>     SPI = 00001000, Destination = B.B.B.B, Sproto = 50
>             established 15 seconds ago
>             src = A.A.A.A, flags = 00000040, SAtype = 0
>             xform = <Encryption + Authentication + Replay Protection>
>                     encryption = <Tripple DES (3DES)>
>                     authentication = <HMAC-SHA1-96>
>             OSrc = A.A.A.A ODst = B.B.B.B, TTL = 0
>             0 flows counted (use netstat -r for  more information)
>             Expirations:
>                     Currently 0 bytes processed
>                     Currently 0 packets processed
>                     (none)
>     
>     
>     cerberus# netstat -rn
>     Routing tables
>     
>     Internet:
>     Destination        Gateway            Flags     Refs     Use     Netif Expire
> 
>     <many routes deleted>
>     
>     Encap:
>     Source address/netmask          Port  Destination address/netmask     Port  Proto SA(Address/SPI/Proto)     
>     0.0.0.0/255.255.255.255         0     172.17.0.0/255.255.0.0          0     0     B.B.B.B/00001000/50
>     0.0.0.0/255.255.255.255         0     B.B.B.B/255.255.255.255         0     0     B.B.B.B/00001000/50
>     172.16.0.0/255.255.0.0          0     172.17.0.0/255.255.0.0          0     0     B.B.B.B/00001000/50
>     172.16.0.0/255.255.0.0          0     B.B.B.B/255.255.255.255         0     0     B.B.B.B/00001000/50
>     A.A.A.A/255.255.255.255         0     172.17.0.0/255.255.0.0          0     0     B.B.B.B/00001000/50
>     A.A.A.A/255.255.255.255         0     B.B.B.B/255.255.255.255         0     0     B.B.B.B/00001000/50
>     
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Josef Karthauser	FreeBSD: How many times have you booted today?
Technical Manager	Viagra for your server (http://www.uk.freebsd.org)
Pavilion Internet plc.  [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk]


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990628182551.T60952>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact