[Openswan Users] DSL modems in bridge mode and UDP fragmentat ion

Tim Bouwer TBouwer at pfn.com
Sat Jan 3 21:32:40 CET 2004

Thanks for your response.

>>  No, it isn't inevitable. 

>>  It is only going to occur if you transmit the certificates.  There is
>>  little reason to do that.

>>  Unless you have 1000 road warriors, I don't see a reason to do that. It
>>  just causes problems, like the one that you have.

We use x509 across the board for authentication of the Freeswan gateways and
for our roadwarriors and also as the basis for the encryption in preference
to preshared keys - it would be difficult for us to change this.   This is
the first time that we have come across this in about 3 years of using
freeswan on various networks - but it is an ugly one because although we can
prove by sending ANY large UDP packets through the modem that the fragments
are being dropped, the problem is getting  someone to admit that their
equipment is faulty.

Also, the packets coming downstream to the branch1 site are all making it
through - it is only outbound packets that are affected.  Verizon tech
support claim that they can't see the fragments outbound on their network
beyond branch1 either, so (if I can believe that the technician was sniffing
their network when he told me this) it does appear to be the modem at fault.

>  Your DSL modems and/or your ISPs network are broken.

>>    Tim> However, the initial fragment has a size of 1480 and gets through
>>    Tim> the subsequent fragment is smaller and doesn't.

>>  Is there any NAT involved?
>>  Is there any QoS for you or your ISP?

There is no NAT or QoS.

>>  What happens if you just do:

>>       ping -s 5000 remoteend

They (not the ISP's, the people we are installing the VPN gateways for) have
acls preventing regular ICMP replies on their network edge  so I can't use
that test on this network.  On the DSL side, there is a Cisco switch between
us and the DSL modem with this ACL in place and on the far side on a CISCO

>>  If that breaks, your network is broken, and you should get a better ISP.

The problem is that this is a small town in Washington and I am being told
that Verizon is the common ISP (well they are being resold by a local ISP
who doesn't supply the networking equipment).  There aren't that many
options available there - although I am tempted to suggest cable.
>>    Tim> Another bell that was ringing was that we had experienced
>>    Tim> with NAT-T and some cable routers which were resolved by ugrading
>>    Tim> the firmware.  I know that this has nothing to do with IKE, but
>>    Tim> created a suspiscion about the DSL modem.

>  NAT-T does have to do with IKE, since the ESP packets are transmitted
>  the same UDP channel as the IKE channel.

So the problem is actually very similar when NAT-T comes into play since all
communication is UDP - although the ESP packets would never be IP fragments
and therefore are not be subject to this symptom.

>>    Tim> It would be great to get a list of dsl modems in this mode that
>>    Tim> actually do handle UDP fragments properly.

>  IF they are truly in bridge mode, then they wouldn't care.
>  They aren't in bridge mode, it would seem. They are doing some kind of
>  layer-3 awareness. 

This is one of the frustrations - it appears that "bridge" mode is
describing an intention and not what is actually being done with the packets
in this case - since it is demonstrably not bridging for large UDP packets.

>>    Tim> I have been in touch with Westell tech support (I send them a
>>    Tim> of this message) and am waiting for more information from them
>>    Tim> regarding this problem.

>  Good luck.
>  Please post.

Thanks for the comments and suggestions.  I'll post a follow-up as soon as
we have some positive developments or resolutions here.  We are about to
start cycling through a few better known modems (including Cisco) and hope
to find one that works properly in this context.  


More information about the Users mailing list