From: Gordon Heydon (gjheydon_at_bigfoot.com)
Date: Tue Sep 17 2002 - 08:11:49 CEST
Hello,
I am not too sure here what is going on, but I think that the
fragmentation is a red hering, I changed the mtu from 1500 to 500 on
the test machine that is working and the restarted freeswan with a
tcpdump and it connected and there were fragmented packets. Also from
the machine that is not working I did a ping -s2000 and it also worked
so I don't think that it could be that.
It just seems that the initator or responce packet to 3 is being dropped
depending on who started the tunnel.
Also witht the key size which one is sent over the line and how do you
calculate how big it is going to be going over the line. cause at this
stage the private key is only ~900 bytes
Thanks for your help, do you have any more sugestions, is there anywhere
you could get better debug logs for this type of thing.
Gordon.
* Andreas Steffen (andreas.steffen_at_strongsec.net) wrote:
> There a several ways to fix it depending on the Linux Kernel
> and firewall you are using:
>
> Linux 2.2.x Kernel:
>
> -Compile the kernel with the setting CONFIG_IP_ALWAYS_DEFRAG
>
> or
>
> - Add an ipchains -f rule letting IP fragments through
>
> Linux 2.4.x kernel:
>
> - See if /proc/sys/net/ipv4/ip_always_defrag exists and
> set it to 1
>
> or
>
> - Add an iptables -f rule letting IP fragments through
>
> Details on the CONFIG_IP_ALWAYS_DEFRAG compile option or
> the /proc/sys/net/ipv4/ip_always_defrag variable can be found
> under
>
> http://www.thelinuxreview.com/howto/IP-MASQ/c420.htm
>
> There is another alternative which I myself have chosen:
>
> - generate certificates that are smaller than about 1 kB so that
> fragmentation does not occur. This is possible by using
> 1024 bit RSA keys and short Distinguished Names.
>
> Regards
>
> Andreas
>
> Gordon Heydon wrote:
> >Thanks
> >
> >but 1 question, I have been looking around and can't figure out how to
> >stop it. besides that why did it work last week and not this week.
> >really need to work this out.
> >
> >Some tips on how to fix this would be much appreciated.
> >
> >Thanks
> >
> >Gordon.
> >
> >* Andreas Steffen (andreas.steffen_at_strongsec.net) wrote:
> >
> >>You seem to have an IP fragmentation problem in the response MR3
> >>from sydney:
> >>
> >>
> >>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident[E]: [|id] (frag
> >>>34241:1480_at_0+)
> >>
> >>Probably the firewall at melbourne discards the fragment, so that
> >>the message is never received.
> >>
> >>Regards
> >>
> >>Andreas
> >>
> >>Gordon Heydon wrote:
> >>
> >>>Hello,
> >>>
> >>>I am having a problem in that I can't get a tunnel that I had working
> >>>last week and for the last month going.
> >>>
> >>>Last Friday night it stopped working, It was complaining about crls
> >>>needing to be updated so I did that this morning, and still nothing.
> >>>
> >>>I feel that I have worked the problem as far as I am able and really
> >>>need help. I have also found some oddities and I can't seem to explain
> >>>them.
> >>>
> >>>I have 2 machines that I have a dedicated VPN between them, and I have a
> >>>3rd which is a test server and this is having no problems. If I try to
> >>>establis the connection from Sydney I get no joy at all, and it hangs at
> >>>
> >>>108 "vpn-syd" #20: STATE_MAIN_I3: sent MI3, expecting MR3
> >>>
> >>>and then reties from there. There on is only one entry in the Melbourne
> >>>machines log
> >>>
> >>>Sep 16 12:14:25 stealth pluto[2641]: "vpn-mel-syd" #22: responding to
> >>>Main Mode
> >>>
> >>>but if I try to initate the connection from Melbourne I get better
> >>>results
> >>>
> >>>I still hang in the same place but the Log the Sydney machine has
> >>>
> >>>Sep 16 12:18:47 panther pluto[5029]: "vpn-syd" #26: sent MR3, ISAKMP SA
> >>>established
> >>>
> >>>and the Melbourne machine just doesn't find out. below are the tcp dumps
> >>
> >>>from the same initiation from Melbourne.
> >>
> >>>I have uploads the barf's to here
> >>>
> >>>http://members.optusnet.com.au/~gheydon/syd.barf - for Sydney and
> >>>http://members.optusnet.com.au/~gheydon/melb.barf - for Melbourne.
> >>>
> >>>Can some please help me I really need to get this back up.
> >>>
> >>>Thanks in advance
> >>>
> >>>Gordon.
> >>>
> >>>Melbourne tcpdump
> >>>
> >>>stealth:/etc# tcpdump -i eth1 udp port 500&
> >>>tcpdump: listening on eth1
> >>>[1] 3568
> >>>stealth:/etc# ipsec auto --up vpn-mel-syd
> >>>12:21:24.828607 vic7-adsl-106.tpgi.com.au.500 >
> >>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident: [|sa] (DF)
> >>>104 "vpn-mel-syd" #29: STATE_MAIN_I1: initiate
> >>>12:21:24.890537 nsw22-adsl-210.tpgi.com.au.500 >
> >>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident: [|sa] (DF)
> >>>12:21:24.903423 vic7-adsl-106.tpgi.com.au.500 >
> >>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident: [|ke] (DF)
> >>>106 "vpn-mel-syd" #29: STATE_MAIN_I2: sent MI2, expecting MR2
> >>>12:21:24.980003 nsw22-adsl-210.tpgi.com.au.500 >
> >>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident: [|ke] (DF)
> >>>12:21:25.001383 vic7-adsl-106.tpgi.com.au.500 >
> >>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident[E]: [|id] (DF)
> >>>108 "vpn-mel-syd" #29: STATE_MAIN_I3: sent MI3, expecting MR3
> >>>
> >>>Sydney tcpdump
> >>>
> >>>panther:/var/log# tcpdump -i eth1 udp port 500
> >>>tcpdump: listening on eth1
> >>>12:21:25.275863 vic7-adsl-106.tpgi.com.au.500 >
> >>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident: [|sa] (DF)
> >>>12:21:25.276642 nsw22-adsl-210.tpgi.com.au.500 >
> >>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident: [|sa] (DF)
> >>>12:21:25.352760 vic7-adsl-106.tpgi.com.au.500 >
> >>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident: [|ke] (DF)
> >>>12:21:25.375771 nsw22-adsl-210.tpgi.com.au.500 >
> >>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident: [|ke] (DF)
> >>>12:21:25.502252 vic7-adsl-106.tpgi.com.au.500 >
> >>>nsw22-adsl-210.tpgi.com.au.500: isakmp: phase 1 I ident[E]: [|id] (DF)
> >>>12:21:25.513731 nsw22-adsl-210.tpgi.com.au.500 >
> >>>vic7-adsl-106.tpgi.com.au.500: isakmp: phase 1 R ident[E]: [|id] (frag
> >>>34241:1480_at_0+)
> >>>
> ======================================================================
> Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
> strongSec GmbH phone: +41 76 340 25 56
> Alter Zürichweg 20 home: http://www.strongsec.com
> CH-8952 Schlieren (Switzerland)
> ==========================================[strong internet security]==
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Wed Sep 18 2002 - 05:20:10 CEST