Re: [Openswan Users] Fragmentation/reassembly bad behaviour (fwd)
mcr at sandelman.ottawa.on.ca
Mon Jan 10 22:12:56 CET 2005
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
Paul> flows chipered from both networks. Tunnel up and ok. Nortel
Paul> does not do MTU PATH DISCOVERY and has 1500 MTU value in
Paul> Ethernet and in WAN interfaces.
Right. Remove it from the network.
It is broken. Seriously. This is a Nortel problem.
Paul> original that entered) is recovered in clear mode -- Until
Paul> here all is OK e) Openswan decides that this packet CAN'T be
Paul> routed to the local (protected network) claiming that he has
Paul> an MTU of 1500 and generates ICMP error to the packet
Well, what *CAN* we do?
a) we can't send it (it is too big)
b) we really can't fragment it.
Paul> In this example, original packet was 1500 bytes, but after a
Paul> lot of changes in interfaces MTU and generate different kinds
Paul> of traffic, it does not matter. ALWAYS that the conditions
Paul> explained are meet (traffic with DF that is reassembled from
Paul> various ESP received fragments), openswan generates ICMP
Paul> error. This ICMP is not routed to Nortel, but in any case
Paul> would be ignored because Nortel's MTU is yet 1500. Packet fits
Paul> in network but Openswan thinks not.
The virtual MTU of the tunnel has to be smaller than 1500, and this
should be known by the Nortel box. The ICMP, were it to be sent back
would indicate this, but as you said, they don't do PMTU, so they'd
If the resulting packet (after decapsulation) is 1500 bytes, and it
still is reject, then there is clearly a problem.
You may try adjusting the mtu of the inside interface to, say 1502
bytes, and see what happens.
I would urge you to bring to this attention of the Nortel people.
Their box is broken if it doesn't do PMTU.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Dev