pmtu discovery on sa esp

pmtu discovery on sa esp

[Marco Berizzi]

Hello everybody.
I have just upgraded from 2.6.21.3 to
2.6.22-rc4 and I get a ton of
pmtu discovery on sa esp/blablab/blabla
messages (this box is running openswan).
Is this an expected behaviour?

TIA

Re: pmtu discovery on sa esp

[Patrick McHardy]

Marco Berizzi wrote:
> Hello everybody.
> I have just upgraded from 2.6.21.3 to
> 2.6.22-rc4 and I get a ton of
> pmtu discovery on sa esp/blablab/blabla
> messages (this box is running openswan).
> Is this an expected behaviour?


We have some MTU opimiztations in 2.6.22-rc that might be related.
Please check with tcpdump what exactly is happening and whether
the 2.6.22-rc box is sending too large packets.

Re: pmtu discovery on sa esp

[Marco Berizzi]

Patrick McHardy wrote:

> Marco Berizzi wrote:
> > Hello everybody.
> > I have just upgraded from 2.6.21.3 to
> > 2.6.22-rc4 and I get a ton of
> > pmtu discovery on sa esp/blablab/blabla
> > messages (this box is running openswan).
> > Is this an expected behaviour?
>
>
> We have some MTU opimiztations in 2.6.22-rc that might be related.
> Please check with tcpdump what exactly is happening and whether
> the 2.6.22-rc box is sending too large packets.

Sorry for the late response.
I have done a tcpdump capture on the external
interface but I don't see anything strange.
(I can send to you the capture if you want/need)
I have noticed that the mtu on the aes tunnels
now is equal to 1450 byte (with 2.6.21 it was
1428). Let me explain:

linux 2.6.22-rc4 ->>-AES tunnel ->>- linux 2.6.21 mtu=1450
linux 2.6.21 ->>-AES tunnel ->>- linux 2.6.22-rc4 mtu=1428

Now as a collateral effects all the windoze boxes
aren't able to exchange large packets: I must
upgrade all ipsec gateway to 2.6.22-rc4 (or
downgrade this box to 2.6.21 again). Hints?

Re: pmtu discovery on sa esp

[Patrick McHardy]

Marco Berizzi wrote:
> Patrick McHardy wrote:
> 
>>We have some MTU opimiztations in 2.6.22-rc that might be related.
>>Please check with tcpdump what exactly is happening and whether
>>the 2.6.22-rc box is sending too large packets.
> 
> 
> I have done a tcpdump capture on the external
> interface but I don't see anything strange.


Try dumping on loopback as well.

> (I can send to you the capture if you want/need)
> I have noticed that the mtu on the aes tunnels
> now is equal to 1450 byte (with 2.6.21 it was
> 1428). Let me explain:
> 
> linux 2.6.22-rc4 ->>-AES tunnel ->>- linux 2.6.21 mtu=1450
> linux 2.6.21 ->>-AES tunnel ->>- linux 2.6.22-rc4 mtu=1428
> 
> Now as a collateral effects all the windoze boxes
> aren't able to exchange large packets: I must
> upgrade all ipsec gateway to 2.6.22-rc4 (or
> downgrade this box to 2.6.21 again). Hints?


The question is whether 1450 is correct. Could you send me the
output of "ip x s" (obfuscate keys if you want) and "ip x p"?
What is the MTU of the underlying device? Do the encapsulated
packets still fit?

BTW, are you just using pluto or the entire openswan patch?

Re: pmtu discovery on sa esp

[Marco Berizzi]

Patrick McHardy wrote:

> Marco Berizzi wrote:
> > Patrick McHardy wrote:
> >
> >>We have some MTU opimiztations in 2.6.22-rc that might be related.
> >>Please check with tcpdump what exactly is happening and whether
> >>the 2.6.22-rc box is sending too large packets.
> >
> >
> > I have done a tcpdump capture on the external
> > interface but I don't see anything strange.
>
>
> Try dumping on loopback as well.

indeed: here is:

14:55:58.848705 IP (tos 0xc0, ttl  64, id 1440, offset 0, flags [none],
proto: ICMP (1), length: 576) linux2.6.22 > linux2.6.22: ICMP
linux2.6.21 unreachable - need to frag (mtu 1500), length 556
 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: ESP (50),
length: 1512) linux2.6.22 > linux2.6.21:
ESP(spi=0x91878312,seq=0x1553f), length 1492[|icmp]

> > (I can send to you the capture if you want/need)
> > I have noticed that the mtu on the aes tunnels
> > now is equal to 1450 byte (with 2.6.21 it was
> > 1428). Let me explain:
> >
> > linux 2.6.22-rc4 ->>-AES tunnel ->>- linux 2.6.21 mtu=1450
> > linux 2.6.21 ->>-AES tunnel ->>- linux 2.6.22-rc4 mtu=1428
> >
> > Now as a collateral effects all the windoze boxes
> > aren't able to exchange large packets: I must
> > upgrade all ipsec gateway to 2.6.22-rc4 (or
> > downgrade this box to 2.6.21 again). Hints?
>
>
> The question is whether 1450 is correct. Could you send me the
> output of "ip x s" (obfuscate keys if you want) and "ip x p"?

I have sent to you (not to the list) the info you
asked me.

> What is the MTU of the underlying device?

1500 byte

> Do the encapsulated
> packets still fit?

No, the will not fit (1512 > 1500)

> BTW, are you just using pluto or the entire openswan patch?

only pluto (no klips).