|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Ipsec fragmentation on DF packets
The packet defenitely exceeds the MTU of the ESP tunnel, however the firewall should respond with a icmp code 3 type 4 (unreachable - need to defrag but DF bit set) and tell the host to lower its mss. It does not, it fragments the packet. ESP fragmentation is controled through fw_ipsec_dont_fragment, - i have tried that. -----Original Message----- From: Gibson, Brian [mailto:[email protected]] Sent: den 25 september 2001 16:39 To: Frey Sigurjonsson; [email protected] Subject: RE: [FW1] Ipsec fragmentation on DF packets I would suspect that your problem is that you are exceeding the MTU of the ESP tunnel, which I think 24 bytes smaller than your normal IP MTU. Packets cannot be fragmented on the ESP tunnell, although there is a Checkpoint article on how to enable framgmentation over the ESP tunnels. I am not sure why the first packet is sent through the tunnel, since presumably all fragments should be dropped before entering the tunnel. -----Original Message----- From: Frey Sigurjonsson [mailto:[email protected]] Sent: Monday, September 24, 2001 10:06 AM To: [email protected] Subject: [FW1] Ipsec fragmentation on DF packets Hi, I've discovered a strange problem with our Firewall-1 (SP4 + RDP + formatstrings hotfixes) and VPN. When handling large packets with DF bit set, it fragments the ESP packet but only sends the first fragment. The other host cannot reassemble the packet and discards it after a timeout. What could cause it not to send the second fragment, and why the h-ll does it fragment the packet in the first place? According to RFC 2401, section 6.1 "In cases where a system (host or gateway) adds an encapsulating header (ESP tunnel or AH tunnel), it MUST support the option of copying the DF bit from the original packet to the encapsulating header (and processing ICMP PMTU messages). This means that it MUST be possible to configure the system's treatment of the DF bit (set, clear, copy from encapsulated header) for each interface. (See Appendix B for rationale.)" I've tried to alter the fw_ipsec_dont_fragment, trying both 1 (true) or 0 (false), it still fragments the packet and only sends the first fragment. Anybody got a clue? ======================================================================== ==== ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ======================================================================== ==== ==== ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
