[Openswan Users] Fragmentation issue

Emmanuel ROGER emmanuel.roger at gmail.com
Thu Aug 25 19:08:59 CEST 2005 

Hi list,

I established a VPN between a Netgear router and a Openswan(2.3.1-1),
everything works OK but a fragmentation issue that seems to happen on
the OpenSWAN side.

Here's the network configuration :



Client1 Openswan Netgear FWAG114 Client2
192.168.3.2 <http://192.168.3.2> --- 192.168.3.252
<http://192.168.3.252>(eth1) (eth0)
192.168.2.252 <http://192.168.2.252> <--> 192.168.2.128(Internet Port) (Lan 
Port) 10.10.250.1 <http://10.10.250.1> ---10.10.250.10 <http://10.10.250.10>



I scanned eth0 and eth1 on the openswan server, while pinging Client2
from Client1 with 1472 bytes packets
(greater than the tunnel MTU) to force fragmentation and reassembling
on the two tunnel endpoints.

What we're expecting to see is openswan fragmenting the ICMP request,
sending it to the netgear that'll reassemble it before transmitting to
Client2,
and symetric on the return.

This is what we observed for about the first 15 pings that go through
the tunnel. Then the next pings packets are just dropped by openSWAN
instead of
being fragmented.

OpenSWAN logs don't show any error, and the problem remains on the
OpenSWAN side if we ping Client1 from Client2. The experience was
reproduced again and again with the same results. We also replaced the 
tunnel by a classic link, but with low MTU to force fragmention, and it 
worked ok
so we assume that's really an issue with our OpenSWAN.

Another strange thing is that sometimes the fragmentation seems to
take a long time, as you can observe below. You will also find our
/etc/ipsec.conf. 

Did one of you encountered such an issue ? How did you you work it around ?

Thanks for help

Manu



Example of a ping between clients :

$ ping -s 1472 -M dont 10.10.250.10 <http://10.10.250.10>
PING 10.10.250.10 <http://10.10.250.10> (10.10.250.10 <http://10.10.250.10>) 
1472(1500) bytes of data.
1480 bytes from 10.10.250.10 <http://10.10.250.10>: icmp_seq=1 ttl=127 time=
21.2 ms
1480 bytes from 10.10.250.10 <http://10.10.250.10>: icmp_seq=2 ttl=127 time=
19.4 ms
1480 bytes from 10.10.250.10 <http://10.10.250.10>: icmp_seq=3 ttl=127 time=
19.2 ms
1480 bytes from 10.10.250.10 <http://10.10.250.10>: icmp_seq=4 ttl=127 
time=598 ms <---------
1480 bytes from 10.10.250.10 <http://10.10.250.10>: icmp_seq=5 ttl=127 time=
19.6 ms
1480 bytes from 10.10.250.10 <http://10.10.250.10>: icmp_seq=6 ttl=127 time=
19.4 ms
1480 bytes from 10.10.250.10 <http://10.10.250.10>: icmp_seq=7 ttl=127 time=
18.8 ms
1480 bytes from 10.10.250.10 <http://10.10.250.10>: icmp_seq=8 ttl=127 time=
18.6 ms
1480 bytes from 10.10.250.10 <http://10.10.250.10>: icmp_seq=9 ttl=127 time=
19.0 ms
1480 bytes from 10.10.250.10 <http://10.10.250.10>: icmp_seq=10 ttl=127 
time=1018 ms <-------
1480 bytes from 10.10.250.10 <http://10.10.250.10>: icmp_seq=11 ttl=127 
time=20.3 ms
1480 bytes from 10.10.250.10 <http://10.10.250.10>: icmp_seq=12 ttl=127 
time=19.0 ms
1480 bytes from 10.10.250.10 <http://10.10.250.10>: icmp_seq=13 ttl=127 
time=1018 ms <------
1480 bytes from 10.10.250.10 <http://10.10.250.10>: icmp_seq=14 ttl=127 
time=591 ms <-----
1480 bytes from 10.10.250.10 <http://10.10.250.10>: icmp_seq=15 ttl=127 
time=19.6 ms
1480 bytes from 10.10.250.10 <http://10.10.250.10>: icmp_seq=16 ttl=127 
time=19.5 ms

--- 10.10.250.10 <http://10.10.250.10> ping statistics ---
199 packets transmitted, 16 received, 91% packet loss, time 197983ms
rtt min/avg/max/mdev = 18.628/216.383/1018.966/357.090 ms, pipe 2






Server Configuration :
Debian Sarge, kernel 2.6.11.9 <http://2.6.11.9>
Openswan 2.3.1-1

/etc/ipsec.conf :
---------------
version 2.0

# basic configuration
config setup
klipsdebug=none
plutodebug=all
plutostderrlog="/var/log/openswan.log"
nat_traversal=yes

conn %default
type=tunnel
left=192.168.2.252 <http://192.168.2.252>
leftnexthop=%defaultroute
right=%any
auto=add

# Add connections here
conn net2net
keyexchange=ike
authby=secret
auth=esp
pfs=yes
rekey=yes
leftid=vpnserver at hotbox.ibrowse.com
leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
rightid=office at hotbox.ibrowse.com
rightsubnet=10.10.250.0/24 <http://10.10.250.0/24>
auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


-- 
Emmanuel ROGER
Master Pro R.A.D.I [Please no HTML, I'm not a browser]
University Of Caen (France) [Pas d'HTML, je ne suis pas un navigateur]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050825/d31a413d/attachment-0001.htm

More information about the Users mailing list