ipsec tunnels & packet length issues
Eric Masson
e-masson at kisoft-services.com
Fri Oct 24 08:27:53 PDT 2003
Hello,
I'm facing a problem with the following setup :
+-----------------+ DMZ +----+ LAN +------+
Internet ---------+ Tunnel Endpoint +-----+ Fw +-----+ Host |
+-----------------+ +----+ +------+
"Tunnel Endpoint" : FreeBSD 4.8-RELEASE with fastipsec on a NET4801
"Fw" : Firewall 1
"Host" : Any host (tested with FreeBSD 5.1-CURRENT, Linux
RH9)
When I'm connecting to "Host" in "Lan" from a box connected to the other
end of a tunnel managed by "Tunnel Endpoint", the following happens :
- back traffic is composed of small sized packets, everything works fine
- back traffic is composed of packets Lan mtu sized, connexion freezes.
>From a tcpdump on the dmz interface of "Tunnel Endpoint", traffic from
"Host" comes fine.
Traffic on "Internet" interface differs depending on the size of packets
coming from "Host" :
- small sized packets : ESP tunnel packets with correct SPI flows out
- Lan mtu sized packets : ESP tunnel packets frags
If i reduce lan interface mtu on "Host" to approximately 1450, the
tunnel works fine, so it seems that "Tunnel Endpoint" can't process
correctly packets with a size of 1500 bytes.
If more information regarding this issue is needed, just ask.
Is this a known issue ?
Except playing with mtu, is there a fix ?
TIA
Regards
Eric Masson
--
Attention tous message a l'encontre d'un usager de mediabarre sera
signalé aux autoriter compétente
-+- Crétin in <http://www.le-gnu.net> : Con pas pétant signalé.
More information about the freebsd-net
mailing list