[LARTC] problem with fragmenting (mtu/mss)

[LARTC] problem with fragmenting (mtu/mss)

[Tomas Bonnedahl]

i have a setup that looks like this

LAN <--> router <--> fw <--> internet

both the router and the fw is slackware with 2.4.5, the fw also has
ipsec tunnels using the freeswan software.

the problem is that the fw is continuously hanging when sending too large
packets through the tunnel, even a frame over 1400 bytes gets the fw to hang.
(which it shouldnt, 40 bytes overhead for the ip and tcp header, and perhaps 20
bytes for the ESP header).

i have run out of options now, that's way im interested to hear your ideas.

the different areas that i have tried to search for a solution for this problem is;
1. changing the mtu on the router to 1300 to send packets (fragmented with a small size) 
to the fw and let it encrypt them
2. using iptables on the router to set the mss on the syn packets travelling _from_ the 
ipsec network to our lan (making our clients think that it has to have that mss to send) to 
everything from 500 to 1440 on the router.

an interactive session is able to go through the tunnel since those packets are
relativly small (40-100 bytes / packet), but using ftp to upload from our lan is
impossible.

anyone has a clue what could cause this problem on the fw, i would feel "better" if
the packets just were not sent, or perhaps that the ipsec software crashed, but this..
wtf?

tomas bonnedahl
network administrator
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] problem with fragmenting (mtu/mss)

[Vincent Jaussaud]

Hi tomas,

On Wed, 2002-11-13 at 13:34, Tomas Bonnedahl wrote:
> i have a setup that looks like this
> 
> LAN <--> router <--> fw <--> internet
> 
> both the router and the fw is slackware with 2.4.5, the fw also has
> ipsec tunnels using the freeswan software.
> 
> the problem is that the fw is continuously hanging when sending too large
> packets through the tunnel, even a frame over 1400 bytes gets the fw to hang.
> (which it shouldnt, 40 bytes overhead for the ip and tcp header, and perhaps 20
> bytes for the ESP header).

I'm not sure, but I assume you are using some kind of tunnel, with NAT.

There is a bug in the linux 2.4 kernel (up to 2.4.19), when sending ICMP
"fragmentation-needed" packets on a NAT box. Eg, the ICMP message do not
contains the right address, it contains the address of the unNAT'ed IP
instead, which is unknown by the client sending too big packets.

I had a lot of networks problem related to MTU/MSS as well, and after
applying the kernel patch, it worked fine.

You can find the patch here:
http://www.netfilter.org/security/2002-04-02-icmp-dnat.html

I'm not sure if it's related to your problem, but in case it helps...

Regards,
Vincent.
> 
> i have run out of options now, that's way im interested to hear your ideas.
> 
> the different areas that i have tried to search for a solution for this problem is;
> 1. changing the mtu on the router to 1300 to send packets (fragmented with a small size) 
> to the fw and let it encrypt them
> 2. using iptables on the router to set the mss on the syn packets travelling _from_ the 
> ipsec network to our lan (making our clients think that it has to have that mss to send) to 
> everything from 500 to 1440 on the router.
> 
> an interactive session is able to go through the tunnel since those packets are
> relativly small (40-100 bytes / packet), but using ftp to upload from our lan is
> impossible.
> 
> anyone has a clue what could cause this problem on the fw, i would feel "better" if
> the packets just were not sent, or perhaps that the ipsec software crashed, but this..
> wtf?
> 
> tomas bonnedahl
> network administrator
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-- 
Vincent Jaussaud <tatooin@kelkoo.com>
Kelkoo.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] problem with fragmenting (mtu/mss)

[Tomas Bonnedahl]

well, not really actually. i tried with iptables version 1.2.7a (the latest at the time) but the compile didnt succeed on the 2.4.5,
though it did on a 2.4.18 (another box). 

i have now upgraded the kernel to 2.4.19 and the iptables installation worked, though im having _really_ big problems with getting a
new version (1.99) of freeswan to work correct.

i have compiled freeswan into the kernel, but the err msgs i get when trying to start it claims that my kernel do not have KLIPS and
cant locate the modules 'ipsec'.

if you have _any_ idea, please tell me.

thanks

tomas bonnedahl

On Fri, Nov 22, 2002 at 06:20:48PM -0200, Ethy H. Brito wrote:
> On 15 Nov 2002, Vincent Jaussaud wrote:
> 
> > Hi tomas,
> >
> > On Wed, 2002-11-13 at 13:34, Tomas Bonnedahl wrote:
> > > i have a setup that looks like this
> > >
> > > LAN <--> router <--> fw <--> internet
> > >
> > > both the router and the fw is slackware with 2.4.5, the fw also has
> > > ipsec tunnels using the freeswan software.
> > >
> > > the problem is that the fw is continuously hanging when sending too large
> > > packets through the tunnel, even a frame over 1400 bytes gets the fw to hang.
> > > (which it shouldnt, 40 bytes overhead for the ip and tcp header, and perhaps 20
> > > bytes for the ESP header).
> 
> Did you have success solving this?
> 
> Regards
> 
> Ethy H. Brito         /"\
> InterNexo Ltda.       \ /  CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
> +55 (12) 3941-6860     X   ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
> S.J.Campos - Brasil   / \
> 
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/