From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Mon Sep 16 2002 - 14:39:19 CEST
There a several ways to fix it depending on the Linux Kernel
and firewall you are using:
Linux 2.2.x Kernel:
-Compile the kernel with the setting CONFIG_IP_ALWAYS_DEFRAG
or
- Add an ipchains -f rule letting IP fragments through
Linux 2.4.x kernel:
- See if /proc/sys/net/ipv4/ip_always_defrag exists and
set it to 1
or
- Add an iptables -f rule letting IP fragments through
Details on the CONFIG_IP_ALWAYS_DEFRAG compile option or
the /proc/sys/net/ipv4/ip_always_defrag variable can be found
under
http://www.thelinuxreview.com/howto/IP-MASQ/c420.htm
There is another alternative which I myself have chosen:
- generate certificates that are smaller than about 1 kB so that
fragmentation does not occur. This is possible by using
1024 bit RSA keys and short Distinguished Names.
Regards
Andreas
Gordon Heydon wrote:
> Thanks
>
> but 1 question, I have been looking around and can't figure out how to
> stop it. besides that why did it work last week and not this week.
> really need to work this out.
>
> Some tips on how to fix this would be much appreciated.
>
> Thanks
>
> Gordon.
>
> * Andreas Steffen (andreas.steffen_at_strongsec.net) wrote:
>
>>You seem to have an IP fragmentation problem in the response MR3
>>from sydney:
>>
>>
>>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident[E]: [|id] (frag
>>>34241:1480_at_0+)
>>
>>Probably the firewall at melbourne discards the fragment, so that
>>the message is never received.
>>
>>Regards
>>
>>Andreas
>>
>>Gordon Heydon wrote:
>>
>>>Hello,
>>>
>>>I am having a problem in that I can't get a tunnel that I had working
>>>last week and for the last month going.
>>>
>>>Last Friday night it stopped working, It was complaining about crls
>>>needing to be updated so I did that this morning, and still nothing.
>>>
>>>I feel that I have worked the problem as far as I am able and really
>>>need help. I have also found some oddities and I can't seem to explain
>>>them.
>>>
>>>I have 2 machines that I have a dedicated VPN between them, and I have a
>>>3rd which is a test server and this is having no problems. If I try to
>>>establis the connection from Sydney I get no joy at all, and it hangs at
>>>
>>>108 "vpn-syd" #20: STATE_MAIN_I3: sent MI3, expecting MR3
>>>
>>>and then reties from there. There on is only one entry in the Melbourne
>>>machines log
>>>
>>>Sep 16 12:14:25 stealth pluto[2641]: "vpn-mel-syd" #22: responding to
>>>Main Mode
>>>
>>>but if I try to initate the connection from Melbourne I get better
>>>results
>>>
>>>I still hang in the same place but the Log the Sydney machine has
>>>
>>>Sep 16 12:18:47 panther pluto[5029]: "vpn-syd" #26: sent MR3, ISAKMP SA
>>>established
>>>
>>>and the Melbourne machine just doesn't find out. below are the tcp dumps
>>
>>>from the same initiation from Melbourne.
>>
>>>I have uploads the barf's to here
>>>
>>>http://members.optusnet.com.au/~gheydon/syd.barf - for Sydney and
>>>http://members.optusnet.com.au/~gheydon/melb.barf - for Melbourne.
>>>
>>>Can some please help me I really need to get this back up.
>>>
>>>Thanks in advance
>>>
>>>Gordon.
>>>
>>>Melbourne tcpdump
>>>
>>>stealth:/etc# tcpdump -i eth1 udp port 500&
>>>tcpdump: listening on eth1
>>>[1] 3568
>>>stealth:/etc# ipsec auto --up vpn-mel-syd
>>>12:21:24.828607 vic7-adsl-106.tpgi.com.au.500 >
>>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident: [|sa] (DF)
>>>104 "vpn-mel-syd" #29: STATE_MAIN_I1: initiate
>>>12:21:24.890537 nsw22-adsl-210.tpgi.com.au.500 >
>>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident: [|sa] (DF)
>>>12:21:24.903423 vic7-adsl-106.tpgi.com.au.500 >
>>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident: [|ke] (DF)
>>>106 "vpn-mel-syd" #29: STATE_MAIN_I2: sent MI2, expecting MR2
>>>12:21:24.980003 nsw22-adsl-210.tpgi.com.au.500 >
>>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident: [|ke] (DF)
>>>12:21:25.001383 vic7-adsl-106.tpgi.com.au.500 >
>>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident[E]: [|id] (DF)
>>>108 "vpn-mel-syd" #29: STATE_MAIN_I3: sent MI3, expecting MR3
>>>
>>>Sydney tcpdump
>>>
>>>panther:/var/log# tcpdump -i eth1 udp port 500
>>>tcpdump: listening on eth1
>>>12:21:25.275863 vic7-adsl-106.tpgi.com.au.500 >
>>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident: [|sa] (DF)
>>>12:21:25.276642 nsw22-adsl-210.tpgi.com.au.500 >
>>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident: [|sa] (DF)
>>>12:21:25.352760 vic7-adsl-106.tpgi.com.au.500 >
>>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident: [|ke] (DF)
>>>12:21:25.375771 nsw22-adsl-210.tpgi.com.au.500 >
>>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident: [|ke] (DF)
>>>12:21:25.502252 vic7-adsl-106.tpgi.com.au.500 >
>>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident[E]: [|id] (DF)
>>>12:21:25.513731 nsw22-adsl-210.tpgi.com.au.500 >
>>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident[E]: [|id] (frag
>>>34241:1480_at_0+)
>>>
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Tue Sep 17 2002 - 05:20:06 CEST