[Openswan Users] DSL modems in bridge mode and UDP fragmentation
Michael Richardson
mcr at sandelman.ottawa.on.ca
Sat Jan 3 19:32:25 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Tim" == Tim Bouwer <TBouwer at pfn.com> writes:
Tim> that the outbound IKE was failing. It was reaching State M3 on the
Tim> DSL side but on the remote side it was never completing the IKE. We
Tim> used tcpdump on each end and discovered that where the IKE was
Tim> fragmented (seemingly inevitable if you use x509 certificates for
Tim> authentication), only the first packet in the fragmented chain was
No, it isn't inevitable.
It is only going to occur if you transmit the certificates. There is very
little reason to do that.
Unless you have 1000 road warriors, I don't see a reason to do that. It
just causes problems, like the one that you have.
Tim> The DSL side is called branch1 and the remote site is called
Tim> headoffice.
Tim> tcpdump -i eth0 <hostip> udp and host <remotehostip> - on the
Tim> sending side; 06:01:09.699671 branch1.isakmp > headoffice.isakmp:
Tim> isakmp: phase 1 I ident[E]: [|id] (frag 30873:1480 at 0+)
Tim> 06:01:09.699691 branch1 > headoffice: (frag 30873:172 at 1480) - on the
Tim> receiving side 06:02:28.507581 branch1.isakmp > headoffice.isakmp:
Tim> isakmp: phase 1 I ident[E]: [|id] (frag 30873:1480 at 0+)
Tim> This rang a bell - there have been a series of discussions on the
Tim> freeswan lists about PMTU - along with a overridemtu setting in
This refers to IPsec data, not UDP data.
Your DSL modems and/or your ISPs network are broken.
Tim> However, the initial fragment has a size of 1480 and gets through -
Tim> the subsequent fragment is smaller and doesn't.
Is there any NAT involved?
Is there any QoS for you or your ISP?
What happens if you just do:
ping -s 5000 remoteend
If that breaks, your network is broken, and you should get a better ISP.
Tim> Another bell that was ringing was that we had experienced problems
Tim> with NAT-T and some cable routers which were resolved by ugrading
Tim> the firmware. I know that this has nothing to do with IKE, but it
Tim> created a suspiscion about the DSL modem.
NAT-T does have to do with IKE, since the ESP packets are transmitted over
the same UDP channel as the IKE channel.
Tim> The business class DSL world apparently use either DSL routers or
Tim> DSL modems in bridge mode. The bridge mode supposedly forwards all
Tim> packets to the DSLAM and from there on to the internet. We have
Tim> several people using DSL routers on other carriers and this problem
Tim> has never come up before.
Then the problem is likely a QoS box or firewall at the ISP.
Tim> It is sort of obvious why this hasn't come up much. Large UDP
Tim> packets are probably only found in tftp, nfs and IKE (any
Tim> others). tftp and NFS are not used on public networks (well,
Tim> hopefully not) and since many VPN solutions use pre-shared keys
Tim> which are smallish, the UDP packets in the IKE are small enough
Tim> never to need fragmenting.
Well, many ISPs think that a VPN is when sell you two T1s, and connect them.
Tim> It would be great to get a list of dsl modems in this mode that
Tim> actually do handle UDP fragments properly.
IF they are truly in bridge mode, then they wouldn't care.
They aren't in bridge mode, it would seem. They are doing some kind of
layer-3 awareness.
Tim> I have been in touch with Westell tech support (I send them a copy
Tim> of this message) and am waiting for more information from them
Tim> regarding this problem.
Good luck.
Please post.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBP/dfE4qHRg3pndX9AQHMFgP7BgcW/mrG54wrollw1AfsykNBDP8a7Qk3
kdNImC9Uka+UhoKrWPP0Ge/lZ7HxQFLKFLSmxouoh6uGbqPCYb5kw0/TRgIdaCi7
5b6z0Gtag1LzdgVYNC1H4a/tuP/53JsJ3R9iZiJNy59Pv3qFt2lcbXGwCSy9/hcj
1jzf1LSH9yQ=
=yX3h
-----END PGP SIGNATURE-----
More information about the Users
mailing list