[Openswan Users] DSL modems in bridge mode and UDP fragmentat ion

Michael Richardson mcr at sandelman.ottawa.on.ca
Sat Jan 3 23:54:23 CET 2004


-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Tim" == Tim Bouwer <TBouwer at pfn.com> writes:
    Tim> There is no NAT or QoS.

    >>> What happens if you just do:

    >>> ping -s 5000 remoteend

    Tim> They (not the ISP's, the people we are installing the VPN gateways
    Tim> for) have acls preventing regular ICMP replies on their network edge
    Tim> so I can't use that test on this network.  On the DSL side, there is

  Have this turned off. There is no point. 
  If you want to break your network, then you get problems with this. 
  ICMP is there for diagnostics.

  Also, many firewalls think they can not pass fragments onwards, because
they can't examine them. Maybe that CISCO is in fact the problem.
  A diagram would help.

    >>> If that breaks, your network is broken, and you should get a better
    >>> ISP.

    Tim> The problem is that this is a small town in Washington and I am
    Tim> being told that Verizon is the common ISP (well they are being

  That may be true, but it doesn't mean that they should provide you with no
service. As you point out, fragmented UDP packets are not common on WANs.

    Tim> So the problem is actually very similar when NAT-T comes into play
    Tim> since all communication is UDP - although the ESP packets would
    Tim> never be IP fragments and therefore are not be subject to this
    Tim> symptom.

  No, it is not the same problem.
  The PMTU problem is about packets that go through the tunnel. The tunnel is
too small for them. (Smaller again with NAT-T)

  This is about packets on the outside.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBP/ecfYqHRg3pndX9AQHVoQQAoHYdR9Na1Vku54ntOx6+OS0e6TkLeTNA
l1DfX6zW9abm/y9pOve/k57BByOYtD8AnBhGzBbT9iHySuEx1wdMdYG1XQcuWzQp
UWKzCK/CAm24D7XtuG7rG+o6NHua8eNitrSssBYjVe6ok4yYQHR/2sQ72dlqSbio
YWz9f+7fvpw=
=rgQQ
-----END PGP SIGNATURE-----


More information about the Users mailing list