Hi,
I am seeing some problems with some problems with IPsec encrypted gif
tunnels and path mtu discovery.
It seems that the router with the IPsec tunnel sends an ICMP need to
frag packet with the next hop mtu set to 0. This causes ssh to
retransmit a the same packet without reducing the size of the data payload.
Is this a know problem? If so are there any know work arounds?
Tom
Network Layout:
Box 1 --(lan)-- Router 1 --(lan)-- Router 2 --(Ipsec tunnel)-- Router 3
--(lan) --- Box 2
Box 1: FreeBSD 5.4
Router [123]: FreeBSD 6.1
Box 2: Linux 2.6
PING Test from box 1 to box 2 with do not fragment set and a packet
larger than the path MTU:
box1# ping -s 1280 -D box2
PING box2 (10.0.0.79): 1280 data bytes
36 bytes from router1 (172.17.3.5): Redirect Host(New addr: 172.17.3.6)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 051c b454 0 0000 40 01 c9fc 172.17.1.48 10.0.0.79
36 bytes from router2 (172.17.3.6): frag needed and DF set (MTU 0)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 1c05 b454 0 0000 3f 01 cafc 172.17.1.48 10.0.0.79
36 bytes from router1 (172.17.3.5): Redirect Host(New addr: 172.17.3.6)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 051c b45f 0 0000 40 01 c9f1 172.17.1.48 10.0.0.79
36 bytes from router2 (172.17.3.6): frag needed and DF set (MTU 0)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 1c05 b45f 0 0000 3f 01 caf1 172.17.1.48 10.0.0.79
^C
--- box2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
PING Test from box 1 to box 2 with do not fragment set and a packet
smaller than the path MTU:
box1# ping -s 1200 -D box2
PING box2 (10.0.0.79): 1200 data bytes
36 bytes from router1 (172.17.3.5): Redirect Host(New addr: 172.17.3.6)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 04cc b472 0 0000 40 01 ca2e 172.17.1.48 10.0.0.79
1208 bytes from 10.0.0.79: icmp_seq=0 ttl=61 time=111.017 ms
36 bytes from router1 (172.17.3.5): Redirect Host(New addr: 172.17.3.6)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 04cc b479 0 0000 40 01 ca27 172.17.1.48 10.0.0.79
1208 bytes from 10.0.0.79: icmp_seq=1 ttl=61 time=110.419 ms
^C
--- box2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 110.419/110.718/111.017/0.299 ms
box1#
Relevent interface configuration on box1 (from ifconfig):
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
inet 172.17.1.48 netmask 0xffff0000 broadcast 172.17.255.255
ether 00:0f:1f:fa:d1:b5
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
Relevent interface configuration on router2 (from ifconfig):
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
inet 172.17.3.6 netmask 0xffff0000 broadcast 172.17.255.255
ether 00:c0:9f:12:13:1b
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 63.174.175.252 --> 82.195.173.206
inet 192.168.174.10 --> 192.168.174.9 netmask 0xfffffffc