[Openswan Users] DSL modems in bridge mode and UDP fragmentat ion
mcr at sandelman.ottawa.on.ca
Sat Jan 3 23:54:23 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Tim" == Tim Bouwer <TBouwer at pfn.com> writes:
Tim> There is no NAT or QoS.
>>> What happens if you just do:
>>> ping -s 5000 remoteend
Tim> They (not the ISP's, the people we are installing the VPN gateways
Tim> for) have acls preventing regular ICMP replies on their network edge
Tim> so I can't use that test on this network. On the DSL side, there is
Have this turned off. There is no point.
If you want to break your network, then you get problems with this.
ICMP is there for diagnostics.
Also, many firewalls think they can not pass fragments onwards, because
they can't examine them. Maybe that CISCO is in fact the problem.
A diagram would help.
>>> If that breaks, your network is broken, and you should get a better
Tim> The problem is that this is a small town in Washington and I am
Tim> being told that Verizon is the common ISP (well they are being
That may be true, but it doesn't mean that they should provide you with no
service. As you point out, fragmented UDP packets are not common on WANs.
Tim> So the problem is actually very similar when NAT-T comes into play
Tim> since all communication is UDP - although the ESP packets would
Tim> never be IP fragments and therefore are not be subject to this
No, it is not the same problem.
The PMTU problem is about packets that go through the tunnel. The tunnel is
too small for them. (Smaller again with NAT-T)
This is about packets on the outside.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Users