[vpn-help] Updated package and problem reports

Peter Eisch peter at boku.net
Thu Aug 17 23:16:47 CDT 2006 

I could loosely agree, but I can't.

In my testing I'm not going through any third world network hardware, I'm
not transmitting packets over satellites or encapsulating any such oddities
in my testing.

I need to go back over your email from earlier, but I had to be social
tonight and that can be a chore for me.  Now with alcohol, I don't think I
could see through it all at the moment.

I think you're mixing up the use of the mssclamp arg.  Forcing the frags
would be of the ipsec traffic.  It is done to help ensure the encrypted
udp:[4]500 traffic can limp through bad udp forwarders.  The checksum
problem appears on unencrypted traffic.

When you add the frag'ing on the unencrypted traffic, you're only having the
tcp stack (in this case) reassemble the payload.  As it does that, the
checksums will be recalculated and the original [bad] checksum is discarded.
That will mask the problem.  I don't see frag'ing the unencrypted payload as
a good thing though.  I don't think remote ip stacks should accept packets
with incorrect checksums  either.

Walking through a 522b scenario:
    1) app on client hands off a 3067b message to an established TCP
connection
    2) OS routes to client network driver
    3) vpn stack takes the first 480b of payload
        - generates a new packet
        - generates a new checksum
        - signs and encrypts the packet
        - routes the encapsulated packet
      + take the next 480b of payload and repeat
    4) ack the OS handoff
My thinking is that the "generates a new checksum" isn't working right.  The
receiving concentrator simply checks the hash, decrypts and then places the
encapsulated packet on the wire.  It is when we sniff these packets that the
checksum problem.

To my issue of running checksums and such, I'm still unable to capture in
logs the unencrypted payload that the OS is handing off to the interface.
Sniffing with any pcap client (ethereal/windump) only lets me see the
physical interface and it's traffic.  I'd like to run literal checksum
checks of what is coming out the other end of the VPN and being put on the
wire.  Any ideas?

Thanks,

peter

More information about the vpn-help mailing list