[Openswan Users] tcpdump + mtu

Bernd Weber bwinfo at gwk-gmbh.de
Wed Oct 13 19:16:44 CEST 2004 

Hi everybody,

I have some very strange effects since I switched to kernel 2.6.5 (Suse 
9.1 Kernel 2.6.5-108-default)

The setup is a road-warrior configuration connecting to a freeswan 1.98b 
via RSA keys.
The road-warrior is connected via pppoed (dsl), the other side is fixed.

This setup worked well with Kernel 2.4 and Freeswan 1.98b.

I can connect - no problem with that. I can ping, however if I start 
tcpdump on the ppp0 interface I will  see for
each ICMP Echo/Reply pair

1. an encrypted outgoing packet
2. an decrypted incoming packet
3. the same decrypted incoming packet again.

...
17:54:40.924000 IP p5080CFB7.dip0.t-ipconnect.de > server.biz: ESP(spi=0xab0529f4,seq=0x38)
17:54:41.015717 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: ESP(spi=0xd880e707,seq=0x3e)
17:54:41.015717 IP 192.168.16.2 > 192.168.0.31: icmp 64: echo reply seq 1
17:54:41.015717 IP 192.168.16.2 > 192.168.0.31: icmp 64: echo reply seq 1
17:54:41.925114 IP p5080CFB7.dip0.t-ipconnect.de > server.biz: ESP(spi=0xab0529f4,seq=0x39)
17:54:42.016399 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: ESP(spi=0xd880e707,seq=0x3f)
17:54:42.016399 IP 192.168.16.2 > 192.168.0.31: icmp 64: echo reply seq 2
17:54:42.016399 IP 192.168.16.2 > 192.168.0.31: icmp 64: echo reply seq 2
...

I think I should see a decrypted (better: Not yet encrypted) outgoing packet and just one incoming packet.

This is pretty anoying because it makes debugging of the following 
problem nearly impossible so help would be appreciated.
Using the newest tcpdump version 3.8.3 and  libpcap version 0.8.3 did 
not help.

---
The moire disturbing  problem I have seems to be with the MTU. Small 
packets will pass the tunnel, large incoming packets will hang.
I can ssh to a remote server - however the terminal will hang when I do 
a "cat /etc/services". Same happens with larger SMTP traffic and so on.

When I play with the MTU of the ppp interface (initially 1492 because of 
the pppoe) I can work around some of these effects, however a sftp put 
transfer remote to local will always fail - my guess is that the mtu 
discovery fails.

Anybody has an Idea (apart from going back to kernel 2.4)?


The conversation for "cat etc/services"(well the half we are logging 
with tcpdump) looks like this
...
18:06:37.119417 IP p5080CFB7.dip0.t-ipconnect.de > server.biz: 
ESP(spi=0xab0529f4,seq=0xaa)
18:06:37.298515 IP p5080CFB7.dip0.t-ipconnect.de > server.biz: 
ESP(spi=0xab0529f4,seq=0xab)
18:06:37.389020 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: 
ESP(spi=0xd880e707,seq=0xa1)
18:06:37.389020 IP 192.168.16.2.ssh > 192.168.0.31.50941: P 
2594:2642(48) ack 2479 win 9120 <nop,nop,timestamp 2178972926 633546734>
18:06:37.389020 IP 192.168.16.2.ssh > 192.168.0.31.50941: P 
2594:2642(48) ack 2479 win 9120 <nop,nop,timestamp 2178972926 633546734>
18:06:37.389568 IP p5080CFB7.dip0.t-ipconnect.de > server.biz: 
ESP(spi=0xab0529f4,seq=0xac)
18:06:37.594403 IP p5080CFB7.dip0.t-ipconnect.de > server.biz: 
ESP(spi=0xab0529f4,seq=0xad)
18:06:37.653270 IP p5080CFB7.dip0.t-ipconnect.de > server.biz: 
ESP(spi=0xab0529f4,seq=0xae)
18:06:37.686180 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: 
ESP(spi=0xd880e707,seq=0xa2)
18:06:37.686180 IP 192.168.16.2.ssh > 192.168.0.31.50941: P 
2642:2690(48) ack 2527 win 9120 <nop,nop,timestamp 2178973223 633547030>
18:06:37.686180 IP 192.168.16.2.ssh > 192.168.0.31.50941: P 
2642:2690(48) ack 2527 win 9120 <nop,nop,timestamp 2178973223 633547030>
18:06:37.686680 IP p5080CFB7.dip0.t-ipconnect.de > server.biz: 
ESP(spi=0xab0529f4,seq=0xaf)
18:06:37.744619 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: 
ESP(spi=0xd880e707,seq=0xa3)
18:06:37.744619 IP 192.168.16.2.ssh > 192.168.0.31.50941: P 
2690:2738(48) ack 2575 win 9120 <nop,nop,timestamp 2178973282 633547089>
18:06:37.744619 IP 192.168.16.2.ssh > 192.168.0.31.50941: P 
2690:2738(48) ack 2575 win 9120 <nop,nop,timestamp 2178973282 633547089>
18:06:37.745147 IP p5080CFB7.dip0.t-ipconnect.de > server.biz: 
ESP(spi=0xab0529f4,seq=0xb0)
18:06:37.800261 IP p5080CFB7.dip0.t-ipconnect.de > server.biz: 
ESP(spi=0xab0529f4,seq=0xb1)
18:06:37.901703 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: 
ESP(spi=0xd880e707,seq=0xa4)
18:06:37.901703 IP 192.168.16.2.ssh > 192.168.0.31.50941: P 
2738:2786(48) ack 2623 win 9120 <nop,nop,timestamp 2178973430 633547236>
18:06:37.901703 IP 192.168.16.2.ssh > 192.168.0.31.50941: P 
2738:2786(48) ack 2623 win 9120 <nop,nop,timestamp 2178973430 633547236>
18:06:37.902236 IP p5080CFB7.dip0.t-ipconnect.de > server.biz: 
ESP(spi=0xab0529f4,seq=0xb2)
18:06:40.323089 IP p5080CFB7.dip0.t-ipconnect.de > server.biz: 
ESP(spi=0xab0529f4,seq=0xb3)
18:06:40.413299 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: 
ESP(spi=0xd880e707,seq=0xa5)
18:06:40.413299 IP 192.168.16.2.ssh > 192.168.0.31.50941: P 
2786:2834(48) ack 2671 win 9120 <nop,nop,timestamp 2178975951 633549760>
18:06:40.413299 IP 192.168.16.2.ssh > 192.168.0.31.50941: P 
2786:2834(48) ack 2671 win 9120 <nop,nop,timestamp 2178975951 633549760>
18:06:40.413840 IP p5080CFB7.dip0.t-ipconnect.de > server.biz: 
ESP(spi=0xab0529f4,seq=0xb4)
18:06:40.467445 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: 
ESP(spi=0xd880e707,seq=0xa6)
18:06:40.476127 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: esp
18:06:40.477491 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: esp
... here we start hanging ...
18:06:40.477491 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
2834:4282(1448) ack 2671 win 9120 <nop,nop,timestamp 2178975961 633549760>
18:06:40.477491 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
2834:4282(1448) ack 2671 win 9120 <nop,nop,timestamp 2178975961 633549760>
18:06:40.499816 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: 
ESP(spi=0xd880e707,seq=0xa7)
18:06:40.508501 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: esp
18:06:40.508501 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
2834:4217(1383) ack 2671 win 9120 <nop,nop,timestamp 2178975962 633549760>
18:06:40.508501 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
2834:4217(1383) ack 2671 win 9120 <nop,nop,timestamp 2178975962 633549760>
18:06:40.524382 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: 
ESP(spi=0xd880e707,seq=0xa8)
18:06:40.524382 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
4217:4282(65) ack 2671 win 9120 <nop,nop,timestamp 2178976040 633549851>
18:06:40.524382 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
4217:4282(65) ack 2671 win 9120 <nop,nop,timestamp 2178976040 633549851>
18:06:40.524915 IP p5080CFB7.dip0.t-ipconnect.de > server.biz: 
ESP(spi=0xab0529f4,seq=0xb5)
18:06:40.562142 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: 
ESP(spi=0xd880e707,seq=0xa9)
18:06:40.570347 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: esp
18:06:40.570347 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
4282:5665(1383) ack 2671 win 9120 <nop,nop,timestamp 2178976040 633549851>
18:06:40.570347 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
4282:5665(1383) ack 2671 win 9120 <nop,nop,timestamp 2178976040 633549851>
18:06:40.644696 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: 
ESP(spi=0xd880e707,seq=0xaa)
18:06:40.644696 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
5665:5730(65) ack 2671 win 9120 <nop,nop,timestamp 2178976181 633549962>
18:06:40.644696 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
5665:5730(65) ack 2671 win 9120 <nop,nop,timestamp 2178976181 633549962>
18:06:40.645230 IP p5080CFB7.dip0.t-ipconnect.de > server.biz: 
ESP(spi=0xab0529f4,seq=0xb6)
18:06:40.773352 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: 
ESP(spi=0xd880e707,seq=0xab)
18:06:40.781514 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: esp
18:06:40.781514 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
5730:7113(1383) ack 2671 win 9120 <nop,nop,timestamp 2178976273 633550082>
18:06:40.781514 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
5730:7113(1383) ack 2671 win 9120 <nop,nop,timestamp 2178976273 633550082>
18:06:40.833745 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: 
ESP(spi=0xd880e707,seq=0xac)
18:06:40.841939 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: esp
18:06:40.841939 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
2834:4217(1383) ack 2671 win 9120 <nop,nop,timestamp 2178976333 633550082>
18:06:40.841939 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
2834:4217(1383) ack 2671 win 9120 <nop,nop,timestamp 2178976333 633550082>
18:06:41.418898 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: 
ESP(spi=0xd880e707,seq=0xad)
18:06:41.427531 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: esp
18:06:41.427531 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
2834:4217(1383) ack 2671 win 9120 <nop,nop,timestamp 2178976919 633550082>
18:06:41.427531 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
2834:4217(1383) ack 2671 win 9120 <nop,nop,timestamp 2178976919 633550082>
18:06:42.589184 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: 
ESP(spi=0xd880e707,seq=0xae)
18:06:42.597802 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: esp
18:06:42.597802 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
2834:4217(1383) ack 2671 win 9120 <nop,nop,timestamp 2178978091 633550082>
18:06:42.597802 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
2834:4217(1383) ack 2671 win 9120 <nop,nop,timestamp 2178978091 633550082>
18:06:44.934099 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: 
ESP(spi=0xd880e707,seq=0xaf)
18:06:44.942243 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: esp
18:06:44.942243 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
2834:4217(1383) ack 2671 win 9120 <nop,nop,timestamp 2178980435 633550082>
18:06:44.942243 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
2834:4217(1383) ack 2671 win 9120 <nop,nop,timestamp 2178980435 633550082>
18:06:49.620013 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: 
ESP(spi=0xd880e707,seq=0xb0)
18:06:49.628172 IP server.biz > p5080CFB7.dip0.t-ipconnect.de: esp
18:06:49.628172 IP 192.168.16.2.ssh > 192.168.0.31.50941: . 
2834:4217(1383) ack 2671 win 9120 <nop,nop,timestamp 2178985123 633550082>
...

Regards

Bernd Weber

More information about the Users mailing list