ipsec tunnels & packet length issues

Eric Masson e-masson at kisoft-services.com
Fri Oct 24 08:27:53 PDT 2003


I'm facing a problem with the following setup :

                    +-----------------+ DMZ +----+ LAN +------+
  Internet ---------+ Tunnel Endpoint +-----+ Fw +-----+ Host |
                    +-----------------+     +----+     +------+

"Tunnel Endpoint" : FreeBSD 4.8-RELEASE with fastipsec on a NET4801
"Fw"              : Firewall 1
"Host"            : Any host (tested with FreeBSD 5.1-CURRENT, Linux

When I'm connecting to "Host" in "Lan" from a box connected to the other
end of a tunnel managed by "Tunnel Endpoint", the following happens :
- back traffic is composed of small sized packets, everything works fine
- back traffic is composed of packets Lan mtu sized, connexion freezes.

>From a tcpdump on the dmz interface of "Tunnel Endpoint", traffic from
"Host" comes fine.

Traffic on "Internet" interface differs depending on the size of packets
coming from "Host" :
- small sized packets : ESP tunnel packets with correct SPI flows out
- Lan mtu sized packets : ESP tunnel packets frags 

If i reduce  lan interface mtu on "Host" to approximately 1450, the
tunnel works fine, so it seems that "Tunnel Endpoint" can't process
correctly packets with a size of 1500 bytes.

If more information regarding this issue is needed, just ask.

Is this a known issue ?

Except playing with mtu, is there a fix ?



Eric Masson

 Attention tous message a l'encontre d'un usager de mediabarre sera
 signalé aux autoriter compétente
 -+- Crétin in <http://www.le-gnu.net> : Con pas pétant signalé.

More information about the freebsd-net mailing list