<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.E-MailFormatvorlage17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:595.3pt 841.9pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:177546314;
mso-list-type:hybrid;
mso-list-template-ids:-362109936 -1153279154 67567619 67567621 67567617 67567619 67567621 67567617 67567619 67567621;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;
mso-fareast-font-family:"Times New Roman";
mso-bidi-font-family:Arial;}
@list l1
{mso-list-id:810640117;
mso-list-type:hybrid;
mso-list-template-ids:1227661328 -1153279154 67567619 67567621 67567617 67567619 67567621 67567617 67567619 67567621;}
@list l1:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;
mso-fareast-font-family:"Times New Roman";
mso-bidi-font-family:Arial;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
</head>
<body lang=DE link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Hallo,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'>I’ve setup a VPN connection between two servers
using X509 certificates. One server is located in the Inet and the other behind
a CISCO 1841 router running firmware 12.3 within the DMZ. So both servers have
valid public IPs and the CISCO router is assumed to simply pass on all IPSec packets
between those hosts.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'>The connection is started as expected and the ISAKMP
and IPSec SAs are created. It’s possible to ping and connect via ssh from
both sides.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'>The problem is now as follows: <o:p></o:p></span></font></p>
<ul style='margin-top:0cm' type=disc>
<li class=MsoNormal style='mso-list:l1 level1 lfo1'><font size=2 face=Arial><span
lang=EN-GB style='font-size:10.0pt;font-family:Arial'>Ping packets of
specific sizes, eg. 1363 to 1400 bytes, are not passed on by the cisco
router. I tried packets with up to 64k, which work as expected. But there are
specific sizes of packets, which do not work. It’s like having ‘gaps’
or blackholes in the connection.<o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-list:l1 level1 lfo1'><font size=2 face=Arial><span
lang=EN-GB style='font-size:10.0pt;font-family:Arial'>SSH connections work
will, as long as the created packets lengths do not all inside the ‘gaps’
described above. Obviously this will happen within a few seconds for
things like ‘find /’ or ‘mc’, which output large
amounts of data. The connections itself is never terminated or shut down. Packets
get simply lost in the router. I checked packets received and sent on both
sides with tcpdump – everything looks fine.<o:p></o:p></span></font></li>
</ul>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'>Both servers use linux kernel 2.6.17 and openswan (Version
2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; V<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'>endor ID OElLO]RdWNRD) / Linux Openswan
U2.4.6/K2.6.17-2-686 (netkey) from the debian etch (testing) archive. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'>So before I start running nuts, I’d like to ask
the following questions:<o:p></o:p></span></font></p>
<ul style='margin-top:0cm' type=disc>
<li class=MsoNormal style='mso-list:l0 level1 lfo2'><font size=2 face=Arial><span
lang=EN-GB style='font-size:10.0pt;font-family:Arial'>Has anybody heard
about such problems before? <o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-list:l0 level1 lfo2'><font size=2 face=Arial><span
lang=EN-GB style='font-size:10.0pt;font-family:Arial'>Is this a CISCO bug?
<o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-list:l0 level1 lfo2'><font size=2 face=Arial><span
lang=EN-GB style='font-size:10.0pt;font-family:Arial'>Are there
workarounds known for this?<o:p></o:p></span></font></li>
</ul>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'>Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'>Carsten Schlote<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
</div>
<BR><BR>____________<BR>Virus checked by G DATA AntiVirusKit<BR>Virus news: www.antiviruslab.com<BR><BR>____________<BR>
Virus checked by G DATA AntiVirus<BR>
Version: AVK 17.1178 from 01.12.2006<BR>
Virus news: <a href="http://www.antiviruslab.com">
www.antiviruslab.com</a><BR>
</body>
</html>