[Openswan Users] netkey debugging

Marek Greško gresko at thr.sk
Thu Aug 21 10:48:39 EDT 2008

Dňa Št 21. August 2008 Marek Greško napísal:
> Hello,
> is there a way to debug netkey stack?
> I have an ISP that clears df bit of my IP packet containing ESP packet and
> fragments it. I see two fragment going into the openswan gateway by
> tcpdump, but than the packet is suddenly lost and i don't know why.
> I tried to disable firewall with no luck.
> Defragmenttion works, since when I send big pings to the machine (not
> through IPsec tunnel) it receives two fragments, and responds to ping.
> Any help appreciated.
> Thank you.
> M.

I send further observations.

I discovered there was a bug in earlier kernels:

The fix seems to me, that it throws away the packets if the first fragment is 
small. Looking to tcpdump:

16:43:38.005539 IP (tos 0x0, ttl 59, id 0, offset 0, flags [+], proto ESP 
(50), length 44) x.x.x.y > y.y.y.z: ESP(spi=0xe7e9d96d,seq=0x11d), length 24
16:43:38.009020 IP (tos 0x0, ttl 59, id 0, offset 24, flags [none], proto ESP 
(50), length 1472) x.x.x.y > y.y.y.z: esp

... you can see the first fragment is small (24 bytes). Could this be the 
issue? Do I understand correctly that small first fragments are thrown away? 
Is the size of 24 bytes really so small it reaches the condition?

Thank you.


Marek Greško

More information about the Users mailing list