[Openswan dev] Re: [Openswan Users] Fragmentation/reassembly bad behaviour (fwd)

Michael Richardson mcr at sandelman.ottawa.on.ca
Mon Jan 10 22:12:56 CET 2005


>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
    Paul> flows chipered from both networks. Tunnel up and ok.  Nortel
    Paul> does not do MTU PATH DISCOVERY and has 1500 MTU value in
    Paul> Ethernet and in WAN interfaces.

  Right. Remove it from the network.
  It is broken. Seriously. This is a Nortel problem.

    Paul> original that entered) is recovered in clear mode -- Until
    Paul> here all is OK e) Openswan decides that this packet CAN'T be
    Paul> routed to the local (protected network) claiming that he has
    Paul> an MTU of 1500 and generates ICMP error to the packet
    Paul> originator

  Well, what *CAN* we do?
    a) we can't send it (it is too big)
    b) we really can't fragment it.

    Paul> In this example, original packet was 1500 bytes, but after a
    Paul> lot of changes in interfaces MTU and generate different kinds
    Paul> of traffic, it does not matter. ALWAYS that the conditions
    Paul> explained are meet (traffic with DF that is reassembled from
    Paul> various ESP received fragments), openswan generates ICMP
    Paul> error. This ICMP is not routed to Nortel, but in any case
    Paul> would be ignored because Nortel's MTU is yet 1500. Packet fits
    Paul> in network but Openswan thinks not.

  The virtual MTU of the tunnel has to be smaller than 1500, and this
should be known by the Nortel box. The ICMP, were it to be sent back
would indicate this, but as you said, they don't do PMTU, so they'd
ignore it.
  If the resulting packet (after decapsulation) is 1500 bytes, and it
still is reject, then there is clearly a problem.

  You may try adjusting the mtu of the inside interface to, say 1502
bytes, and see what happens. 

  I would urge you to bring to this attention of the Nortel people. 
  Their box is broken if it doesn't do PMTU. 

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys


More information about the Dev mailing list