I''ve had problems setting up IPsec sessions using certificates Basically, the IKEv2 packets are large UDP packets and they are fragmented I believe that using ECDSA instead of RSA certificates reduces the size of these packets, but ECDSA is not universally supported. I''d like to understand whether Shorewall can and should support these fragmented UDP flows. I found a post from 3 December suggesting that IPv6 fragmentation is troublesome without a recent kernel so I''m just looking at IPv4 for now. Looking at the problem with tcpdump, I typically see UDP packets sent with 1644 bytes, slightly bigger than the MTU. Are there any specific rules or shorewall.conf settings that need to be added/tweaked to make this work? This was initially discussed on strongSwan-users: https://lists.strongswan.org/pipermail/users/2013-July/009434.html ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 07/05/2013 02:55 AM, Daniel Pocock wrote:> > I''ve had problems setting up IPsec sessions using certificates > > Basically, the IKEv2 packets are large UDP packets and they are fragmented > > I believe that using ECDSA instead of RSA certificates reduces the size > of these packets, but ECDSA is not universally supported. I''d like to > understand whether Shorewall can and should support these fragmented UDP > flows. > > I found a post from 3 December suggesting that IPv6 fragmentation is > troublesome without a recent kernel so I''m just looking at IPv4 for now. > > Looking at the problem with tcpdump, I typically see UDP packets sent > with 1644 bytes, slightly bigger than the MTU. > > Are there any specific rules or shorewall.conf settings that need to be > added/tweaked to make this work? >There is nothing in Shorewall having to do with over-sized UDP packets. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 05/07/13 17:08, Tom Eastep wrote:> On 07/05/2013 02:55 AM, Daniel Pocock wrote: >> >> I''ve had problems setting up IPsec sessions using certificates >> >> Basically, the IKEv2 packets are large UDP packets and they are fragmented >> >> I believe that using ECDSA instead of RSA certificates reduces the size >> of these packets, but ECDSA is not universally supported. I''d like to >> understand whether Shorewall can and should support these fragmented UDP >> flows. >> >> I found a post from 3 December suggesting that IPv6 fragmentation is >> troublesome without a recent kernel so I''m just looking at IPv4 for now. >> >> Looking at the problem with tcpdump, I typically see UDP packets sent >> with 1644 bytes, slightly bigger than the MTU. >> >> Are there any specific rules or shorewall.conf settings that need to be >> added/tweaked to make this work? >> > > There is nothing in Shorewall having to do with over-sized UDP packets. >The reply from strongSwan-users suggest that firewalls drop the second fragment: https://lists.strongswan.org/pipermail/users/2013-July/009434.html This is your comment that I found about IPv6 UDP fragmentation with netfilter: http://sourceforge.net/mailarchive/forum.php?thread_name=f1856b2e7fe64ea9a38c645f0c7e9ea1%40davenport.net.nz&forum_name=shorewall-users I realise these are not strictly Shorewall faults - but do additional rules need to be created to tolerate these fragments? Or just allowing a particular UDP port should be enough? There is no NAT or masquerading involved on the Shorewall machine (sometimes the VPN client is coming through NAT and the fragments could be lost at that firewall too) ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On Jul 5, 2013, at 11:51 AM, Daniel Pocock <daniel@pocock.com.au> wrote:> > > On 05/07/13 17:08, Tom Eastep wrote: >> On 07/05/2013 02:55 AM, Daniel Pocock wrote: >>> >>> I''ve had problems setting up IPsec sessions using certificates >>> >>> Basically, the IKEv2 packets are large UDP packets and they are fragmented >>> >>> I believe that using ECDSA instead of RSA certificates reduces the size >>> of these packets, but ECDSA is not universally supported. I''d like to >>> understand whether Shorewall can and should support these fragmented UDP >>> flows. >>> >>> I found a post from 3 December suggesting that IPv6 fragmentation is >>> troublesome without a recent kernel so I''m just looking at IPv4 for now. >>> >>> Looking at the problem with tcpdump, I typically see UDP packets sent >>> with 1644 bytes, slightly bigger than the MTU. >>> >>> Are there any specific rules or shorewall.conf settings that need to be >>> added/tweaked to make this work? >>> >> >> There is nothing in Shorewall having to do with over-sized UDP packets. >> > > The reply from strongSwan-users suggest that firewalls drop the second > fragment: > https://lists.strongswan.org/pipermail/users/2013-July/009434.htmlWhen connection tracking is enabled in Netfilter, received fragments are assembled into a single packet that is then passed through Netfilter. It may need re-fragmenting when transmitted. This is necessary because continuation fragments don''t contain l3 headers and hence cannot be associated with a connection.> > This is your comment that I found about IPv6 UDP fragmentation with > netfilter: > http://sourceforge.net/mailarchive/forum.php?thread_name=f1856b2e7fe64ea9a38c645f0c7e9ea1%40davenport.net.nz&forum_name=shorewall-usersYou have looked at the outbound traffic from the firewall with tcpdump to prove that the firewall is dropping these packets? -Tom Tom Eastep \ Nothing is foolproof to a Shoreline, \ sufficiently talented fool Washington, USA \ http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev