[vpn-help] Updated package and problem reports

Matthew Grooms mgrooms at shrew.net
Thu Aug 17 16:49:05 CDT 2006 

Peter,

	It looks like we may be chasing several problems. I am trying different 
combinations of natt and fragmentation settings and I started with the 
simplest config and started adding options. I believe I have ran across 
what appears to be a kernel bug in netbsd. The problem revolves around 
NATT packets and normal IP fragmentation ( not esp_frag ). For the two 
cases I give below, all fragmentation options turned off in the client.

	If I connect to a NetBSD without using NATT, then esp packets that are 
larger than the MTU get fragmented in the normal IP fashion. When I 
connect using NATT, then the UDP:4500/ESP fragments are missing. I know 
I can enable esp_frag in the racoon config file to enable 
pre-fragmentation but the man page states ...

The result is ESP over UDP of fragmented packets *instead* of fragmented 
ESP over UDP packets (i.e., IP:UDP:ESP:frag(IP) instead of 
frag(IP:UDP:ESP:IP))

... But the normal IP fragmentation case of IP:UDP:ESP:IP should work as 
well. Its just a nice option to have for DSL users. I have included two 
packet dumps. Both are simple web page requests to www.blah.net with the 
first dump being with ESP and the second being UDP:4500/ESP. If you 
notice, the NATT packets are not being fragmented correctly ( more to 
follow is set but none follow ). Here are the commands I used with 
tcpdump ...

tcpdump -s 3000 -w frag.cap -e -i pcn1 esp
tcpdump -s 3000 -w frag.cap -e -i pcn1 udp and port 4500

Do you think you could independently verify what I am seeing? If so, 
maybe we can convince a NetBSD developer to look into the issue.

Thanks,

-Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: frag2.cap
Type: application/octet-stream
Size: 26762 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20060817/229ec480/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: frag3.cap
Type: application/octet-stream
Size: 43426 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20060817/229ec480/attachment-0005.obj>

More information about the vpn-help mailing list