[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] explicitly allow fragmented packets in ipsec environment - unset the DF bit



On Friday, 3. October 2003 09:17, you wrote:

> I can send 15 Kbyte (I haven't tried larger packets yet but I'm sure they
> will go through the tunnel as well) pings to the other end of an ipsec
> (freeswan-freeswan) tunnel. Checking my fragmented packets the DF bit is
> not set. The other end of the tunnel, however, can "only" send 1500 Byte
> pings to me. Those packets have the DF bit set.

Hi!

The following is taken from /usr/src/linux/Documentation/Configure.help:


TCPMSS target support
CONFIG_IP_NF_TARGET_TCPMSS
  This option adds a `TCPMSS' target, which allows you to alter the
  MSS value of TCP SYN packets, to control the maximum size for that
  connection (usually limiting it to your outgoing interface's MTU
  minus 40).

  This is used to overcome criminally braindead ISPs or servers which
  block ICMP Fragmentation Needed packets.  The symptoms of this
  problem are that everything works fine from your Linux
  firewall/router, but machines behind it can never exchange large
  packets
  [...]


This sounds quite a bit like your problem. One of your systems seems to be 
unable to send fragmented packets. And as 1500 bytes is probably your MTU, 
the host that cannot send fragmented packets cannot send packets larger than 
1500 bytes. Maybe this is simply because you yourself are blocking the "ICMP 
Fragmentation Needed packets", so check your firewall rules/logs. If that 
doesn't help, maybe this kernel option will.

Regards
nordi

-- 
Denn der Menschheit drohen Kriege, gegen welche die vergangenen wie armselige 
Versuche sind, und sie werden kommen ohne jeden Zweifel, wenn denen, die sie 
in aller Öffentlichkeit vorbereiten, nicht die Hände zerschlagen werden.
Bertolt Brecht, 1952 

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here