[Openswan Users] L2TP / IPSEC (certificate) with Cisco Systems, Inc./VPN 3000 Concentrator

[Ilia Sotnikov]

On 12/9/06, Dick <dm at chello.nl> wrote:
> I think my problem is related to the fragmentation, the Concentrator is crying
> (by icmp) about timed out fragments.
>
> On wiki.openswan.org
> (http://wiki.openswan.org/index.php/Openswan/DebuggingTcpdump) I've found the
> following statement: "Note that Linux sends the fragments *BEFORE* the initial
> fragment." which could explain why my connection is working from Windows but
> isn't working from Linux (there could be a crappy router in between).  But my
> tests didn't confirm this behaviour (or is openswan playing a fragmentation
> trick?)
>
> Fragmented ping seems to reply fine, maybe it is UDP related...

We've also seen such a behavior. The statement "..Linux sends the
fragments *BEFORE* the initial..." isn't true - initial fragment will
be first (when you look at sender side). What is worst is the possible
fragment reordering, and when it happened, receiver side could get
non-initial fragment first.

The fragmentation problem could affect Main Mode (perhaps the reason
in your case) because of certificate sending. Depending on RSA Key
size the packets could contain several fragments.

Unfortunately, I didn't have a time to identify why Openswan couldn't
receive Main Mode packets when non-initial fragment came first. From
TCP/IP stack's point of view that shouldn't happen, but...

We solved the problem using '{left,right}sendcert=never' on both sides
(of course, both ones use Openswan, I don't know if Cisco could
support that). It works reliable because of reduced UDP packet sizes.
You will have to place certificates on both side, what could have
negative impact when a lot of sites and connections involved.
Also, Cisco IOS firewall identifies UDP packets bigger than 1000 bytes
as 'UDP Bomb', signature 4050, so you will have to disable that
signature, completely or by access list.

Hope that helps,

-- 
 Ilia Sotnikov