Date: Mon, 28 Jun 1999 10:07:06 -0700 (PDT) From: Steven Kehlet <kehlet@techfuel.com> To: freebsd-security@freebsd.org Subject: having problems with IPSec VPN using FreeBSD -- help please! :-) Message-ID: <Pine.LNX.4.10.9906280937480.781-100000@phoenix.techfuel.com>
next in thread | raw e-mail | index | archive | help
Hi,
I'm trying to set up a VPN using IPSec tunnelling between two FreeBSD 3.1 boxes
across the Internet. I'm using the IPSec for FreeBSD implementation from
www.r4k.net.
The setup looks okay, and the tunnelling seems to work great. Unfortunately
the problem comes with large data transfers; I think there might be some sort
of IP fragmentation problem. When I try to read a large mailbox with IMAP over
the link, it connects but then it just hangs there with the other end sending
me nothing but fragments (see tcpdump below). For some reason POP works fine,
Netscape and web stuff doesn't work, and sometimes even doing a "man ipsecadm"
or "ps -aux" (i.e. sudden burst of data) in a telnet session will cause it to
hang.
I've set up the SAs and flows okay; everything looks fine and I'm able to ping
and telnet to and from boxes on non-routable IP ranges behind each box. That
is, site A has 172.16/16 behind A.A.A.A, and site B has 172.17/16 behind
B.B.B.B, and I can ping/telnet 172.17.X.X from 172.16.X.X no problem.
Here's a tcpdump log on A.A.A.A while I'm trying to use IMAP from 172.16.X.X to
B.B.B.B. Notice about half-way down all the sudden there's all this
fragmentation happening, at which point my session never recovers.
Can anyone offer any sort of explanation, offer tips for debugging, anything I
can try, some way I can reduce the fragmentation (lower the mtu on my ethernet
interface?), etc? Thanks! :-) :-)
A.A.A.A# tcpdump -n host B.B.B.B
tcpdump: listening on xl0
15:19:23.517547 A.A.A.A > B.B.B.B: ip-proto-50 84 [tos 0x10]
15:19:23.580292 B.B.B.B > A.A.A.A: ip-proto-50 92 [tos 0x10]
15:19:23.593400 A.A.A.A > B.B.B.B: ip-proto-50 68 [tos 0x10]
15:19:23.601293 A.A.A.A > B.B.B.B: ip-proto-50 84 [tos 0x10]
15:19:23.654207 B.B.B.B > A.A.A.A: ip-proto-50 92 [tos 0x10]
15:19:23.673426 A.A.A.A > B.B.B.B: ip-proto-50 68 [tos 0x10]
15:19:28.368815 A.A.A.A > B.B.B.B: ip-proto-50 84
15:19:28.399378 B.B.B.B > A.A.A.A: ip-proto-50 68
15:19:28.400009 A.A.A.A > B.B.B.B: ip-proto-50 68
15:19:28.441323 B.B.B.B > A.A.A.A: ip-proto-50 116
15:19:28.447346 B.B.B.B > A.A.A.A: ip-proto-50 124
15:19:28.448072 A.A.A.A > B.B.B.B: ip-proto-50 68
15:19:28.448476 A.A.A.A > B.B.B.B: ip-proto-50 84
15:19:28.481736 B.B.B.B > A.A.A.A: ip-proto-50 220
15:19:28.484531 A.A.A.A > B.B.B.B: ip-proto-50 92
15:19:28.513555 B.B.B.B > A.A.A.A: ip-proto-50 84
15:19:28.533459 A.A.A.A > B.B.B.B: ip-proto-50 68
15:19:28.552944 A.A.A.A > B.B.B.B: ip-proto-50 76
15:19:28.583303 B.B.B.B > A.A.A.A: ip-proto-50 84
15:19:28.584113 A.A.A.A > B.B.B.B: ip-proto-50 76
15:19:28.619272 B.B.B.B > A.A.A.A: ip-proto-50 148
15:19:28.623804 B.B.B.B > A.A.A.A: ip-proto-50 100
15:19:28.624694 A.A.A.A > B.B.B.B: ip-proto-50 92
15:19:28.684544 B.B.B.B > A.A.A.A: ip-proto-50 68
15:19:28.705040 B.B.B.B > A.A.A.A: ip-proto-50 428
15:19:28.707171 A.A.A.A > B.B.B.B: ip-proto-50 92
15:19:28.747522 B.B.B.B > A.A.A.A: ip-proto-50 116
15:19:28.749721 A.A.A.A > B.B.B.B: ip-proto-50 92
15:19:28.806969 B.B.B.B > A.A.A.A: ip-proto-50 564
15:19:28.809320 A.A.A.A > B.B.B.B: ip-proto-50 92
15:19:28.863102 B.B.B.B > A.A.A.A: ip-proto-50 580
15:19:28.865950 A.A.A.A > B.B.B.B: ip-proto-50 204
15:19:28.962327 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 60039:1480@0+)
15:19:28.962394 B.B.B.B > A.A.A.A: (frag 60039:44@1480)
15:19:29.003582 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 28411:1480@0+)
15:19:29.003650 B.B.B.B > A.A.A.A: (frag 28411:44@1480)
15:19:29.044684 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 56344:1480@0+)
15:19:29.044750 B.B.B.B > A.A.A.A: (frag 56344:44@1480)
15:19:29.063749 A.A.A.A > B.B.B.B: ip-proto-50 204
15:19:29.086139 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 64175:1480@0+)
15:19:29.086207 B.B.B.B > A.A.A.A: (frag 64175:44@1480)
15:19:29.128743 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 32580:1480@0+)
15:19:29.128809 B.B.B.B > A.A.A.A: (frag 32580:44@1480)
15:19:29.169049 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 55233:1480@0+)
15:19:29.169116 B.B.B.B > A.A.A.A: (frag 55233:44@1480)
15:19:29.210538 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 24250:1480@0+)
15:19:29.210605 B.B.B.B > A.A.A.A: (frag 24250:44@1480)
15:19:29.251771 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 64284:1480@0+)
15:19:29.251838 B.B.B.B > A.A.A.A: (frag 64284:44@1480)
15:19:29.292988 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 15716:1480@0+)
15:19:29.293055 B.B.B.B > A.A.A.A: (frag 15716:44@1480)
15:19:29.334187 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 42527:1480@0+)
15:19:29.334254 B.B.B.B > A.A.A.A: (frag 42527:44@1480)
15:19:29.380159 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 41459:1480@0+)
15:19:29.380225 B.B.B.B > A.A.A.A: (frag 41459:44@1480)
15:19:29.380328 B.B.B.B > A.A.A.A: ip-proto-50 68
15:19:30.335041 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 63704:1480@0+)
15:19:30.335107 B.B.B.B > A.A.A.A: (frag 63704:44@1480)
15:19:32.335848 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 45951:1480@0+)
15:19:32.335913 B.B.B.B > A.A.A.A: (frag 45951:44@1480)
15:19:36.338218 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 52615:1480@0+)
15:19:36.338284 B.B.B.B > A.A.A.A: (frag 52615:44@1480)
15:19:44.334750 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 61321:1480@0+)
15:19:44.334817 B.B.B.B > A.A.A.A: (frag 61321:44@1480)
For grins, here are my SAs and ipsec flows (from A.A.A.A):
cerberus# sysctl net.ipsec.setup
net.ipsec.setup:
IPsec Setup
SPI = 00001001, Destination = A.A.A.A, Sproto = 50
established 15 seconds ago
src = B.B.B.B, flags = 00000040, SAtype = 0
xform = <Encryption + Authentication + Replay Protection>
encryption = <Tripple DES (3DES)>
authentication = <HMAC-SHA1-96>
OSrc = B.B.B.B ODst = A.A.A.A, TTL = 0
0 flows counted (use netstat -r for more information)
Expirations:
Currently 0 bytes processed
Currently 0 packets processed
(none)
SPI = 00001000, Destination = B.B.B.B, Sproto = 50
established 15 seconds ago
src = A.A.A.A, flags = 00000040, SAtype = 0
xform = <Encryption + Authentication + Replay Protection>
encryption = <Tripple DES (3DES)>
authentication = <HMAC-SHA1-96>
OSrc = A.A.A.A ODst = B.B.B.B, TTL = 0
0 flows counted (use netstat -r for more information)
Expirations:
Currently 0 bytes processed
Currently 0 packets processed
(none)
cerberus# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
<many routes deleted>
Encap:
Source address/netmask Port Destination address/netmask Port Proto SA(Address/SPI/Proto)
0.0.0.0/255.255.255.255 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50
0.0.0.0/255.255.255.255 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50
172.16.0.0/255.255.0.0 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50
172.16.0.0/255.255.0.0 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50
A.A.A.A/255.255.255.255 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50
A.A.A.A/255.255.255.255 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.10.9906280937480.781-100000>