[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [suse-security] explicitly allow fragmented packets in ipsec environment - unset the DF bit



Hi

> > I can send 15 Kbyte (I haven't tried larger packets yet but 
> I'm sure they
> > will go through the tunnel as well) pings to the other end 
> of an ipsec
> > (freeswan-freeswan) tunnel. Checking my fragmented packets 
> the DF bit is
> > not set. The other end of the tunnel, however, can "only" 
> send 1500 Byte
> > pings to me. Those packets have the DF bit set.

> The following is taken from 
> /usr/src/linux/Documentation/Configure.help:
> 
> 
> TCPMSS target support
> CONFIG_IP_NF_TARGET_TCPMSS
>   This option adds a `TCPMSS' target, which allows you to alter the
>   MSS value of TCP SYN packets, to control the maximum size for that
>   connection (usually limiting it to your outgoing interface's MTU
>   minus 40).
> 
>   This is used to overcome criminally braindead ISPs or servers which
>   block ICMP Fragmentation Needed packets.  The symptoms of this
>   problem are that everything works fine from your Linux
>   firewall/router, but machines behind it can never exchange large
>   packets
>   [...]
> 
> 
> This sounds quite a bit like your problem. One of your 
> systems seems to be 
> unable to send fragmented packets. And as 1500 bytes is 
> probably your MTU, 
> the host that cannot send fragmented packets cannot send 
> packets larger than 
> 1500 bytes. Maybe this is simply because you yourself are 
> blocking the "ICMP 
> Fragmentation Needed packets", so check your firewall 
> rules/logs. 

Don't need to. ICMP 3 allowed everywhere. 

> If that 
> doesn't help, maybe this kernel option will.

I'll try.

Thanks
Philipp

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here