FreeBSD 6.1 IPsec Path MTU Discovery

Tom Judge tom at tomjudge.com
Tue Nov 7 17:39:42 UTC 2006 

Hi,

I am seeing some problems with some problems with IPsec encrypted gif 
tunnels and path mtu discovery. 

It seems that the router with the IPsec tunnel sends an ICMP need to 
frag packet with the next hop mtu set to 0. This causes ssh to 
retransmit a the same packet without reducing the size of the data payload.

Is this a know problem? If so are there any know work arounds?

Tom

Network Layout:

Box 1 --(lan)-- Router 1 --(lan)-- Router 2 --(Ipsec tunnel)-- Router 3 
--(lan) --- Box 2

Box 1: FreeBSD 5.4
Router [123]: FreeBSD 6.1
Box 2: Linux 2.6



PING Test from box 1 to box 2 with do not fragment set and a packet 
larger than the path MTU:

box1# ping -s 1280 -D box2
PING box2 (10.0.0.79): 1280 data bytes
36 bytes from router1 (172.17.3.5): Redirect Host(New addr: 172.17.3.6)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 051c b454   0 0000  40  01 c9fc 172.17.1.48  10.0.0.79

36 bytes from router2 (172.17.3.6): frag needed and DF set (MTU 0)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 1c05 b454   0 0000  3f  01 cafc 172.17.1.48  10.0.0.79

36 bytes from router1 (172.17.3.5): Redirect Host(New addr: 172.17.3.6)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 051c b45f   0 0000  40  01 c9f1 172.17.1.48  10.0.0.79

36 bytes from router2 (172.17.3.6): frag needed and DF set (MTU 0)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 1c05 b45f   0 0000  3f  01 caf1 172.17.1.48  10.0.0.79

^C
--- box2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

PING Test from box 1 to box 2 with do not fragment set and a packet 
smaller than the path MTU:

box1# ping -s 1200 -D box2
PING box2 (10.0.0.79): 1200 data bytes
36 bytes from router1 (172.17.3.5): Redirect Host(New addr: 172.17.3.6)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 04cc b472   0 0000  40  01 ca2e 172.17.1.48  10.0.0.79

1208 bytes from 10.0.0.79: icmp_seq=0 ttl=61 time=111.017 ms
36 bytes from router1 (172.17.3.5): Redirect Host(New addr: 172.17.3.6)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 04cc b479   0 0000  40  01 ca27 172.17.1.48  10.0.0.79

1208 bytes from 10.0.0.79: icmp_seq=1 ttl=61 time=110.419 ms
^C
--- box2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 110.419/110.718/111.017/0.299 ms
box1#                                                                                     



Relevent interface configuration on box1 (from ifconfig):

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=b<RXCSUM,TXCSUM,VLAN_MTU>
        inet 172.17.1.48 netmask 0xffff0000 broadcast 172.17.255.255
        ether 00:0f:1f:fa:d1:b5
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active



Relevent interface configuration on router2 (from ifconfig):

em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=b<RXCSUM,TXCSUM,VLAN_MTU>
        inet 172.17.3.6 netmask 0xffff0000 broadcast 172.17.255.255
        ether 00:c0:9f:12:13:1b
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 63.174.175.252 --> 82.195.173.206
        inet 192.168.174.10 --> 192.168.174.9 netmask 0xfffffffc

More information about the freebsd-stable mailing list