[Openswan dev] MTU: tcpdump vs pmtu 1446

Vincent Tamet vincent.tamet at ilimit.net
Wed Mar 30 06:40:00 EDT 2011


Hi, 
I post my problem to a cisco forum (https://supportforums.cisco.com/thread/2067814), wzhang answer to me, my last post:

Thanks you very much !
I can't done the last tcpdump because have a frag problem, explained rapidly in the bottom.

I test with a ping -c 1 -s 1418 192.168.2.5

Encapsulating Security Payload (Tunnel Mode)
 IP Tunnel header                                           20
 ESP Header
    Security Parameters Index   [SPI]                        4
    Sequence Number                                          4
 Payload data                                 (variable)
    Initialization Vector       [IV]  IOS ESP-DES-3DES       8
    Data                                      (Variable)  1446
         IP Origin header                                               20
         ICMP Header                                                     8
         Data                                                         1418
    Padding Encrypt     IOS ESP-DES-3DES (variable 0->7)     0
 ESP Trailer
    Pad Length                               8 bits          1
    Next Header                              8 bits          1
 ESP Authentication Data                   (Variable x4?)
    Integrity Check Value       [ICV] ESP MD5 96 digest     12
    Padding Auth                              0
                                                         -------
                                                          1496 < 1500
I  use this to compute the pad:

8+(1446)+1+1= 1456
1456/8 = 182.00
1456-(182*8) = 0 so without padding





If we calcul for a ping -c 1 -s 1419 192.168.2.5

Encapsulating Security Payload (Tunnel Mode)
 IP Tunnel header                                           20
 ESP Header
    Security Parameters Index   [SPI]                        4
    Sequence Number                                          4
 Payload data                                 (variable)
    Initialization Vector       [IV]  IOS ESP-DES-3DES       8
    Data                                      (Variable)  1447
         IP Origin header                                               20
         ICMP Header                                                     8
         Data                                                         1419
    Padding Encrypt     IOS ESP-DES-3DES (variable 0->7)     7
 ESP Trailer
    Pad Length                               8 bits          1
    Next Header                              8 bits          1
 ESP Authentication Data                   (Variable x4?)
    Integrity Check Value       [ICV] ESP MD5 96 digest     12
    Padding Auth                              0
                                                         -------
                                                          1504 > 1500

And for the pad:

8+(1447)+1+1= 1457
1457/8 = 182.12
1457-(182*8) = 1 If not =0 we need to calcul the padding
8-1=7




Still have some problem with fragmentation in cisco, so I not be able to confirm this with tcpdump because the cisco start to fragment my paquet before the 1418 limit size of data, and for now not fragment for 1410 bytes of data but yes do frag for 1411 bytes paquet size: https://supportforums.cisco.com/thread/2075689

 

Don't know why but always had problem with the 8 magic lost bytes in cisco 8xx product !!!

I have a another discution with a opened tiquet to cisco support for an  another lost of 8 bytes: https://supportforums.cisco.com/thread/2058182

And this one is a 8 bytes problem too about a frag problem: https://supportforums.cisco.com/thread/2066638

 

Best regards.

----- Mail original -----
De: "Vincent Tamet" <vincent.tamet at ilimit.net>
À: dev at openswan.org
Cc: osg at free.fr
Envoyé: Lundi 31 Janvier 2011 13:50:32
Objet: [Openswan dev] MTU: tcpdump vs pmtu 1446

Hi,
I'm trying to understand why the MTU in my test tunnel is 1446.
Ruben in the irc canal #openswan, tell me to try here.

The 2 linux-box are in the same ethernet lan.

Mode Tunnel: 3des/md5-96

My calculs:
   MTU     IP SPI SN  IV  Data   Pad PL  NH  AUTH
  1500    -20 -4 -4 -( 8    x )  -0  -1  -1  -12  = 1450
The PMTU from a ping -M do give me 1446.

Can't understand where the problem is, I must miss something, but what ?

Best regards

Vincent Tamet.
OSG[PCQ]

PS: The dump is from a lan to internet configuration, but it's the same results.
-----------------------------------------------------------------------------
* ping 192.168.3.1 -c 1 -s 2
17:25:56.555463 00:06:5b:8a:a4:2b > 00:24:14:d9:f1:90, ethertype IPv4 (0x0800), length 44: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 30)
    192.168.2.5 > 192.168.3.1: ICMP echo request, id 46448, seq 1, length 10
        0x0000:  4500 001e 0000 4000 4001 b488 c0a8 0205  E..... at .@.......
        0x0010:  c0a8 0301 0800 428d b570 0001 0001       ......B..p....
-----------------------------------------------------------------------------
16:25:59.221603 08:1f:f3:e7:0e:65 > 00:23:7d:fd:bb:04, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 253, id 1992, offset 0, flags [DF], proto ESP (50), length 80) 80.94.1.136 > 10.0.0.2: ESP(spi=0xdb14b228,seq=0x8), length 60
        0x0000:  4500 0050 07c8 4000 fd32 19cc 505e 0188  E..P.. at ..2..P^..
        0x0010:  0a00 0002 db14 b228 0000 0008 5957 445a  .......(....YWDZ
        0x0020:  5dcd 42b4 4500 001e 0000 4000 3f01 b588  ].B.E..... at .?...
        0x0030:  c0a8 0205 c0a8 0301 0800 428d b570 0001  ..........B..p..
        0x0040:  0001 0004 58c2 f376 69fa ede5 2584 f199  ....X..vi...%...
-----------------------------------------------------------------------------
_______________________________________________
Dev mailing list
Dev at openswan.org
http://lists.openswan.org/mailman/listinfo/dev


More information about the Dev mailing list