[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Ipsec fragmentation on DF packets
Hi, I've discovered a strange problem with our Firewall-1 (SP4 + RDP + formatstrings hotfixes) and VPN. When handling large packets with DF bit set, it fragments the ESP packet but only sends the first fragment. The other host cannot reassemble the packet and discards it after a timeout. What could cause it not to send the second fragment, and why the h-ll does it fragment the packet in the first place? According to RFC 2401, section 6.1 "In cases where a system (host or gateway) adds an encapsulating header (ESP tunnel or AH tunnel), it MUST support the option of copying the DF bit from the original packet to the encapsulating header (and processing ICMP PMTU messages). This means that it MUST be possible to configure the system's treatment of the DF bit (set, clear, copy from encapsulated header) for each interface. (See Appendix B for rationale.)" I've tried to alter the fw_ipsec_dont_fragment, trying both 1 (true) or 0 (false), it still fragments the packet and only sends the first fragment. Anybody got a clue? ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|