From: Gordon Heydon (gjheydon_at_bigfoot.com)
Date: Tue Sep 17 2002 - 02:07:27 CEST
Hello,
I have checked everything that I can and I am pretty sure that I am not
rejecting any fragmented packets, how ever I am in the process of
building a new kernel that will allow me to use the option you
recommended below.
One thing that you could tell me or point me in the direction of some
documentation that will tell me how to generate a key of less that 1k.
Thanks ever so much, I would try to work this more out for myself but
time is really against me.
Gordon.
* Andreas Steffen (andreas.steffen_at_strongsec.net) wrote:
> There a several ways to fix it depending on the Linux Kernel
> and firewall you are using:
>
> Linux 2.2.x Kernel:
>
> -Compile the kernel with the setting CONFIG_IP_ALWAYS_DEFRAG
>
> or
>
> - Add an ipchains -f rule letting IP fragments through
>
> Linux 2.4.x kernel:
>
> - See if /proc/sys/net/ipv4/ip_always_defrag exists and
> set it to 1
>
> or
>
> - Add an iptables -f rule letting IP fragments through
>
> Details on the CONFIG_IP_ALWAYS_DEFRAG compile option or
> the /proc/sys/net/ipv4/ip_always_defrag variable can be found
> under
>
> http://www.thelinuxreview.com/howto/IP-MASQ/c420.htm
>
> There is another alternative which I myself have chosen:
>
> - generate certificates that are smaller than about 1 kB so that
> fragmentation does not occur. This is possible by using
> 1024 bit RSA keys and short Distinguished Names.
>
> Regards
>
> Andreas
>
> Gordon Heydon wrote:
> >Thanks
> >
> >but 1 question, I have been looking around and can't figure out how to
> >stop it. besides that why did it work last week and not this week.
> >really need to work this out.
> >
> >Some tips on how to fix this would be much appreciated.
> >
> >Thanks
> >
> >Gordon.
> >
> >* Andreas Steffen (andreas.steffen_at_strongsec.net) wrote:
> >
> >>You seem to have an IP fragmentation problem in the response MR3
> >>from sydney:
> >>
> >>
> >>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident[E]: [|id] (frag
> >>>34241:1480_at_0+)
> >>
> >>Probably the firewall at melbourne discards the fragment, so that
> >>the message is never received.
> >>
> >>Regards
> >>
> >>Andreas
> >>
> >>Gordon Heydon wrote:
> >>
> >>>Hello,
> >>>
> >>>I am having a problem in that I can't get a tunnel that I had working
> >>>last week and for the last month going.
> >>>
> >>>Last Friday night it stopped working, It was complaining about crls
> >>>needing to be updated so I did that this morning, and still nothing.
> >>>
> >>>I feel that I have worked the problem as far as I am able and really
> >>>need help. I have also found some oddities and I can't seem to explain
> >>>them.
> >>>
> >>>I have 2 machines that I have a dedicated VPN between them, and I have a
> >>>3rd which is a test server and this is having no problems. If I try to
> >>>establis the connection from Sydney I get no joy at all, and it hangs at
> >>>
> >>>108 "vpn-syd" #20: STATE_MAIN_I3: sent MI3, expecting MR3
> >>>
> >>>and then reties from there. There on is only one entry in the Melbourne
> >>>machines log
> >>>
> >>>Sep 16 12:14:25 stealth pluto[2641]: "vpn-mel-syd" #22: responding to
> >>>Main Mode
> >>>
> >>>but if I try to initate the connection from Melbourne I get better
> >>>results
> >>>
> >>>I still hang in the same place but the Log the Sydney machine has
> >>>
> >>>Sep 16 12:18:47 panther pluto[5029]: "vpn-syd" #26: sent MR3, ISAKMP SA
> >>>established
> >>>
> >>>and the Melbourne machine just doesn't find out. below are the tcp dumps
> >>
> >>>from the same initiation from Melbourne.
> >>
> >>>I have uploads the barf's to here
> >>>
> >>>http://members.optusnet.com.au/~gheydon/syd.barf - for Sydney and
> >>>http://members.optusnet.com.au/~gheydon/melb.barf - for Melbourne.
> >>>
> >>>Can some please help me I really need to get this back up.
> >>>
> >>>Thanks in advance
> >>>
> >>>Gordon.
> >>>
> >>>Melbourne tcpdump
> >>>
> >>>stealth:/etc# tcpdump -i eth1 udp port 500&
> >>>tcpdump: listening on eth1
> >>>[1] 3568
> >>>stealth:/etc# ipsec auto --up vpn-mel-syd
> >>>12:21:24.828607 vic7-adsl-106.tpgi.com.au.500 >
> >>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident: [|sa] (DF)
> >>>104 "vpn-mel-syd" #29: STATE_MAIN_I1: initiate
> >>>12:21:24.890537 nsw22-adsl-210.tpgi.com.au.500 >
> >>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident: [|sa] (DF)
> >>>12:21:24.903423 vic7-adsl-106.tpgi.com.au.500 >
> >>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident: [|ke] (DF)
> >>>106 "vpn-mel-syd" #29: STATE_MAIN_I2: sent MI2, expecting MR2
> >>>12:21:24.980003 nsw22-adsl-210.tpgi.com.au.500 >
> >>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident: [|ke] (DF)
> >>>12:21:25.001383 vic7-adsl-106.tpgi.com.au.500 >
> >>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident[E]: [|id] (DF)
> >>>108 "vpn-mel-syd" #29: STATE_MAIN_I3: sent MI3, expecting MR3
> >>>
> >>>Sydney tcpdump
> >>>
> >>>panther:/var/log# tcpdump -i eth1 udp port 500
> >>>tcpdump: listening on eth1
> >>>12:21:25.275863 vic7-adsl-106.tpgi.com.au.500 >
> >>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident: [|sa] (DF)
> >>>12:21:25.276642 nsw22-adsl-210.tpgi.com.au.500 >
> >>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident: [|sa] (DF)
> >>>12:21:25.352760 vic7-adsl-106.tpgi.com.au.500 >
> >>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident: [|ke] (DF)
> >>>12:21:25.375771 nsw22-adsl-210.tpgi.com.au.500 >
> >>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident: [|ke] (DF)
> >>>12:21:25.502252 vic7-adsl-106.tpgi.com.au.500 >
> >>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident[E]: [|id] (DF)
> >>>12:21:25.513731 nsw22-adsl-210.tpgi.com.au.500 >
> >>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident[E]: [|id] (frag
> >>>34241:1480_at_0+)
> >>>
> ======================================================================
> Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
> strongSec GmbH phone: +41 76 340 25 56
> Alter Zürichweg 20 home: http://www.strongsec.com
> CH-8952 Schlieren (Switzerland)
> ==========================================[strong internet security]==
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Tue Sep 17 2002 - 05:20:07 CEST