[Openswan Users] DSL modems in bridge mode and UDP fragmentation

Michael Richardson mcr at sandelman.ottawa.on.ca
Sat Jan 3 19:32:25 CET 2004 

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Tim" == Tim Bouwer <TBouwer at pfn.com> writes:
    Tim> that the outbound IKE was failing.  It was reaching State M3 on the
    Tim> DSL side but on the remote side it was never completing the IKE.  We
    Tim> used tcpdump on each end and discovered that where the IKE was
    Tim> fragmented (seemingly inevitable if you use x509 certificates for
    Tim> authentication), only the first packet in the fragmented chain was

  No, it isn't inevitable. 
  It is only going to occur if you transmit the certificates.  There is very
little reason to do that.

  Unless you have 1000 road warriors, I don't see a reason to do that. It
just causes problems, like the one that you have.

    Tim> The DSL side is called branch1 and the remote site is called
    Tim> headoffice.

    Tim> tcpdump -i eth0 <hostip> udp and host <remotehostip> - on the
    Tim> sending side; 06:01:09.699671 branch1.isakmp > headoffice.isakmp:
    Tim> isakmp: phase 1 I ident[E]: [|id] (frag 30873:1480 at 0+)
    Tim> 06:01:09.699691 branch1 > headoffice: (frag 30873:172 at 1480) - on the
    Tim> receiving side 06:02:28.507581 branch1.isakmp > headoffice.isakmp:
    Tim> isakmp: phase 1 I ident[E]: [|id] (frag 30873:1480 at 0+)

    Tim> This rang a bell - there have been a series of discussions on the
    Tim> freeswan lists about PMTU - along with a overridemtu setting in

  This refers to IPsec data, not UDP data.

  Your DSL modems and/or your ISPs network are broken.

    Tim> However, the initial fragment has a size of 1480 and gets through -
    Tim> the subsequent fragment is smaller and doesn't.

  Is there any NAT involved?
  Is there any QoS for you or your ISP?

  What happens if you just do:

       ping -s 5000 remoteend

  If that breaks, your network is broken, and you should get a better ISP.
  
    Tim> Another bell that was ringing was that we had experienced problems
    Tim> with NAT-T and some cable routers which were resolved by ugrading
    Tim> the firmware.  I know that this has nothing to do with IKE, but it
    Tim> created a suspiscion about the DSL modem.

  NAT-T does have to do with IKE, since the ESP packets are transmitted over
the same UDP channel as the IKE channel.

    Tim> The business class DSL world apparently use either DSL routers or
    Tim> DSL modems in bridge mode.  The bridge mode supposedly forwards all
    Tim> packets to the DSLAM and from there on to the internet.  We have
    Tim> several people using DSL routers on other carriers and this problem
    Tim> has never come up before.

  Then the problem is likely a QoS box or firewall at the ISP.

    Tim> It is sort of obvious why this hasn't come up much.  Large UDP
    Tim> packets are probably only found in tftp, nfs and IKE (any
    Tim> others). tftp and NFS are not used on public networks (well,
    Tim> hopefully not) and since many VPN solutions use pre-shared keys
    Tim> which are smallish, the UDP packets in the IKE are small enough
    Tim> never to need fragmenting.

  Well, many ISPs think that a VPN is when sell you two T1s, and connect them.

    Tim> It would be great to get a list of dsl modems in this mode that
    Tim> actually do handle UDP fragments properly.

  IF they are truly in bridge mode, then they wouldn't care.
  They aren't in bridge mode, it would seem. They are doing some kind of
layer-3 awareness. 

    Tim> I have been in touch with Westell tech support (I send them a copy
    Tim> of this message) and am waiting for more information from them
    Tim> regarding this problem.

  Good luck.
  Please post.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBP/dfE4qHRg3pndX9AQHMFgP7BgcW/mrG54wrollw1AfsykNBDP8a7Qk3
kdNImC9Uka+UhoKrWPP0Ge/lZ7HxQFLKFLSmxouoh6uGbqPCYb5kw0/TRgIdaCi7
5b6z0Gtag1LzdgVYNC1H4a/tuP/53JsJ3R9iZiJNy59Pv3qFt2lcbXGwCSy9/hcj
1jzf1LSH9yQ=
=yX3h
-----END PGP SIGNATURE-----

More information about the Users mailing list