lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 9 Jan 2013 10:01:54 +0100 (CET)
From:	"pupilla@...ero.it" <pupilla@...ero.it>
To:	netdev@...r.kernel.org
Subject: mtu issue with ipsec tunnel and netfilter snat

Hello everybody.
 
I'm experimenting a pretty strange
problem with an ipsec gateway source
natting packets running linux 3.6.9
on slackware 14 32bit
 
Here is the network schema.
 
customer private network 10.148.0.0/16
|
|
+ipsec customer gateway (checkpoint)
||
||---ipsec tunnel 10.148.0.0/16<->172.16.128.0/28 (des3/md5)
||   mtu=1446
||
++ linux_gw_snat ipsec gateway (SNAT all packets from 10.81.128.0/21 to 
172.16.128.1)
||
||---ipsec tunnel 10.148.0.0/16<->10.81.128.0/21 (aes/sha1/ipcomp)
||   mtu=1430
||
+linux_final ipsec gateway
|
|
client 10.81.128.176
 

Here is a tcpdump capture taken on
linux_gw_snat:

15:35:05.123634 IP (tos 0x40, ttl 56, id 41983, offset 0, flags [DF], proto 
TCP (6), length 1500)
    10.148.12.23.3229 > 172.16.128.1.4019: Flags [P.], cksum 0x961d (correct), 
seq 1619799544:1619801004, ack 2757141216, win 49640, length 1460
15:35:06.153638 IP (tos 0x40, ttl 56, id 41984, offset 0, flags [DF], proto 
TCP (6), length 1500)
    10.148.12.23.3229 > 172.16.128.1.2616: Flags [P.], cksum 0x837f (correct), 
seq 1603048284:1603049744, ack 1511439922, win 49640, length 1460
15:35:07.393657 IP (tos 0x40, ttl 56, id 41985, offset 0, flags [DF], proto 
TCP (6), length 1500)
    10.148.12.23.3229 > 172.16.128.1.4019: Flags [P.], cksum 0x961d (correct), 
seq 0:1460, ack 1, win 49640, length 1460
15:35:11.913425 IP (tos 0x40, ttl 56, id 41986, offset 0, flags [DF], proto 
TCP (6), length 1500)
    10.148.12.23.3229 > 172.16.128.1.4019: Flags [P.], cksum 0x961d (correct), 
seq 0:1460, ack 1, win 49640, length 1460
15:35:20.934013 IP (tos 0x40, ttl 56, id 23204, offset 0, flags [DF], proto 
TCP (6), length 1500)
    10.148.12.23.3229 > 172.16.128.1.4019: Flags [P.], cksum 0x961d (correct), 
seq 0:1460, ack 1, win 49640, length 1460
15:35:26.393357 IP (tos 0x40, ttl 56, id 23205, offset 0, flags [DF], proto 
TCP (6), length 1500)
    10.148.12.23.3229 > 172.16.128.1.4014: Flags [P.], cksum 0x24f2 (correct), 
seq 1570503240:1570504700, ack 585563091, win 49640, length 1460

As you can see there are incoming
1500 bytes packets (these are the
decrypted ipsec packets) with DF
bit set.
These packets are never delivered to
the final client 10.81.128.176 (the
destination address is 172.16.128.1
which is the ip used for SNATing
the original ip 10.81.128.176).

IMHO this is a mtu issue: 1500
bytes packets cannot be routed
inside the ipsec tunnel.

But why linux_gw_snat is not sending
icmp need to frag packets to 10.148.12.23?

Any response are welcome.

TIA
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ