[vpn-help] Fragmentation issues with FreeBSD
Matthew Grooms
mgrooms at shrew.net
Wed Aug 30 12:18:49 CDT 2006
lkv at defx.org wrote:
>
> Pretty much, but the firewall is the vpn gateway, like so:
> CLIENT <-> INET <-> [tun0][vpn/pf][fxp0] <-> LAN
>
> Yes I do have access to it and the client is not firewalled.
>
I would like to see some packet captures so I can diagnose the problem.
If you can narrow the problem down ( for http, to just a single url )
before enabling all the packet captures, that would be helpful. Assuming
we are working with tcp traffic, can we please try the following ...
1) Upgrade the client to 1.1 pre-beta
http://www.shrew.net/vpn/vpn-client-1.1-beta-1.exe
2) Enable packet dump of public interface traffic
3) Enable packet dump of private interface traffic
4) Make sure you stop and restart ipsecd to enable (2) & (3)
5) Start two simultaneous packet captures using the following params ...
CLIENT <-> INET <-> (a)GATEWAY(b) <-> LAN
a) tcpdump -i [ext] -s 1500 -w ext.cap src or dst [client address]
b) tcpdump -i [int] -s 1500 -w int.cap src or dst [private address]
Where client address is your clients public ip address and private
address is the private address of the host it is communicating with.
Please don't add anything like "and esp" to (a) or "and tcp" to (b) or
we will miss packet fragments.
6) Generate a traffic pattern that triggers the error condition
Then forward me ( off-list ) the dump-pub.cap, dump-prv.cap,
dump-frg.cap from the client and ext.cap, int.cap from the gateway.
This should give me a good idea of whats going on.
Thanks,
-Matthew
More information about the vpn-help
mailing list