[Openswan Users] Problems with multiple VPN tunnels and RoadWarrios

John A. Sullivan III jsullivan at opensourcedevel.com
Wed Sep 7 11:37:17 CEST 2005


On Wed, 2005-09-07 at 13:49 +0200, Andrej Trobentar wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> John A. Sullivan III wrote:
> >
> > Ah, interesting.  So I wonder if the problem is large file transfers or
> > large packets.  You said that you could successfully ping.  What happens
> > if you ping with a large packet size (ping -s or -l depending on your
> > OS)? Do you break immediately? - John
> 
> Hello John,
> 
> First of all many thanks for your fast help!
> 
> Here's my test :
> 
> 1) Only roadwarrior active
> - - "ping <internal server>" OK
> - - "ping -l 10240 <internal server>" OK
> 
> Here's the trace :
> 13:39:02.049680 192.168.3.2 > 192.168.15.50: icmp: echo request
> 13:39:02.050144 192.168.15.50 > 192.168.3.2: icmp: echo reply
> 13:39:03.049816 192.168.3.2 > 192.168.15.50: icmp: echo request
> 13:39:03.050275 192.168.15.50 > 192.168.3.2: icmp: echo reply
> 13:39:04.054154 192.168.3.2 > 192.168.15.50: icmp: echo request
> 13:39:04.054622 192.168.15.50 > 192.168.3.2: icmp: echo reply
> 13:39:05.047823 192.168.3.2 > 192.168.15.50: icmp: echo request
> 13:39:05.048300 192.168.15.50 > 192.168.3.2: icmp: echo reply
> 
> 
> 2) Roadwarrior active, static tunnel active
> - - "ping <internal server>" OK
> - - "ping -l 10240 <internal server>" FAILED
> 
> Here's the trace :
> 13:39:10.827497 192.168.3.2 > 192.168.15.50: icmp: echo request (frag
> 16076:1376 at 0+)
> 13:39:11.275483 192.168.3.2 > 192.168.15.50: (frag 16076:1376 at 1376+)
> 13:39:11.730919 192.168.3.2 > 192.168.15.50: (frag 16076:1376 at 2752+)
> 13:39:12.184639 192.168.3.2 > 192.168.15.50: (frag 16076:1376 at 4128+)
> 13:39:12.653270 192.168.3.2 > 192.168.15.50: (frag 16076:1376 at 5504+)
> 13:39:13.100017 192.168.3.2 > 192.168.15.50: (frag 16076:1376 at 6880+)
> 13:39:13.530420 192.168.3.2 > 192.168.15.50: (frag 16076:1376 at 8256+)
> 13:39:13.743678 192.168.3.2 > 192.168.15.50: (frag 16076:616 at 9632)
> 
> 
> So it has something to do with the size. The static tunnel works without
> problems (even large pings). Any other ideas? Please tell me if you need
> any more info.
<snip>
Bizarre! At least we're getting closer. So we know it is a fragmentation
problem.  However, what changes when the LAN-to-LAN tunnel is activated?
Does it run any special updown script that manipulates fragments?

Let me see if I understand this trace correctly.  It mystifies me that
the change appears to be on the client side.  So you first do a large
ping without the LAN-to-LAN tunnel up.  Why does your trace not show the
fragments? Then you trace with the L2L tunnel up and we see the
fragments show up in the trace but no response from the remote side.  Is
this all correct?
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net



More information about the Users mailing list