[vpn-help] Windows 8 - Shrew to Juniper connection - SA (Kevin VPN)
Matthew Grooms
mgrooms at shrew.net
Wed May 22 20:40:56 CDT 2013
On 5/15/2013 9:17 PM, Kevin VPN wrote:
>
> Hi James,
>
> Shrew v2.2.0 supports many more options for negotiating hashes and
> transforms for Phase1 and Phase2 connections. Including all the options
> in one message makes it larger than the Maximum Transmission Unit
> supported by most networks (typically 1500 bytes), so the packet gets
> fragmented.
>
> Interestingly, we thought we fixed a problem with fragments just before
> the 2.2.0-release version. Is there a chance that you're still using a
> a beta/rc version of Shrew 2.2.0?
>
> To avoid the fragmentation problem (i.e. so you can turn block fragments
> back on), you can try two things:
>
> 1) Manually select the Phase1 and Phase2 options in the Shrew site
> configuration (instead of leaving them on auto). That should result in
> smaller packets.
>
> 2) If you're using the Shrew 2.2.0-release version, you can try to
> manually adjust (i.e. reduce) the MTU value for your network adapter
> until the fragments disappear.
> http://support.microsoft.com/kb/314053
>
>
> FYI, I'll be traveling for a while, so I won't be active on the list.
>
Kevin,
As always, thanks for your help and I hope you enjoy your travels :)
James,
If the packet being fragmented is an IKE packet ( during phase1/2
negotiation ), then changing the MTU setting on the virtual adapter
won't have any effect.
As Kevin mentioned, the 2.2.0 version has introduced support for SHA2
HMAC algorithms, which means using 'auto' will produce a larger number
of proposals, and as a result, create larger IKE packets which may be
transmitted as IP fragments. If the gateway is configured to drop
fragmented IP packets, then the phase1/2 settings should be tuned to
remove the use of 'auto'. The way Cisco, Microsoft, ipsec-tools and the
Shrew Soft VPN client works around this is by supporting an IKE
extension called 'IKE Fragmentation'. When in use, a full IKE PDU is
broken up into IKE PDU fragments which are sent individually. The
recipient re-assembles the IKE PDU fragments and processes the message.
Of course, both IKE peers need to support this extension for it to work
but I don't believe Juniper products support this.
Back to the adapter MTU setting: This is for client traffic being sent
from the client to the server after an IPsec SA has been negotiated. If
you take a 1500 byte packet, encrypt it, add headers and then wrap it in
another IP packet, the resulting packet will definitely be larger then
1500 bytes. If you lower the virtual adapter MTU enough, the OS will
naturally create smaller ( inner ) IP packets for client traffic. After
IPsec processing, the resulting packet be small enough to pass without
IP fragmentation.
Hope this helps,
-Matthew
More information about the vpn-help
mailing list