[Openswan Users] netkey debugging
gresko at thr.sk
Thu Aug 21 10:48:39 EDT 2008
Dňa Št 21. August 2008 Marek Greško napísal:
> is there a way to debug netkey stack?
> I have an ISP that clears df bit of my IP packet containing ESP packet and
> fragments it. I see two fragment going into the openswan gateway by
> tcpdump, but than the packet is suddenly lost and i don't know why.
> I tried to disable firewall with no luck.
> Defragmenttion works, since when I send big pings to the machine (not
> through IPsec tunnel) it receives two fragments, and responds to ping.
> Any help appreciated.
> Thank you.
I send further observations.
I discovered there was a bug in earlier kernels:
The fix seems to me, that it throws away the packets if the first fragment is
small. Looking to tcpdump:
16:43:38.005539 IP (tos 0x0, ttl 59, id 0, offset 0, flags [+], proto ESP
(50), length 44) x.x.x.y > y.y.y.z: ESP(spi=0xe7e9d96d,seq=0x11d), length 24
16:43:38.009020 IP (tos 0x0, ttl 59, id 0, offset 24, flags [none], proto ESP
(50), length 1472) x.x.x.y > y.y.y.z: esp
... you can see the first fragment is small (24 bytes). Could this be the
issue? Do I understand correctly that small first fragments are thrown away?
Is the size of 24 bytes really so small it reaches the condition?
More information about the Users