I'm going to post this back to the list as Marko was also helping me get to the bottom of it... David Malone wrote: >On Tue, Apr 19, 2005 at 07:29:18AM +1000, Matthew Sullivan wrote: > > >>Any reason why FreeBSD 5.2.1+ and 5.3-p9 set DF on all packets? >> >> > >It is usual to do this to do path MTU discovery with TCP. I don't >know what the situation with the packets that the VPN sends is. > > > >>example with dominator [203.15.51.36] MTU at 1500, vpn server is at >>203.15.51.36 (all interfaces are MTU 1500 except gif0 which is 1280), >>other end of the VPN has interfaces at MTU 1500 which serices the >>10.200.254.0 network (wireless).... >> >>23:36:23.577880 203.15.51.36.24 > 10.200.254.98.33118: . 2315:3763(1448) >>ack 2537 win 33304 <nop,nop,timestamp 45880385 1548984> (DF) [tos 0x10] >>23:36:23.578406 203.15.51.61 > 203.15.51.36: icmp: 10.200.254.98 >>unreachable - need to frag (DF) >> >> > >It looks like 203.15.51.61 is asking the vpn server to fragment >some packet. I guess that the packet is a encrypted version of the >TCP packet above? I guess that means that either the vpn server >needs to not set the DF bit, or it needs to translate the ICMP >message into something that it can return to the TCP sender. How >to do that probably depends on how you configure the vpn stuff. The >gif man page says that the DF bit should not be set on the packets >that it generates. > > IP addresses involved are: 203.15.51.58 is the webserver (desperado.sorbs.net) 203.15.51.36 is the Old DB server (dominator.sorbs.net) 203.15.51.61 is the VPN terminator (stealth.sorbs.net) 10.200.254.2 is the other end of the VPN (oblivion.isux.com) 10.200.254.98 is my laptop running Slackware Linux, for the dump below I used wget to do a simple GET / FreeBSD oblivion.isux.com 5.3-RELEASE-p8 FreeBSD 5.3-RELEASE-p8 #4: Sun Apr 17 09:55:22 EST 2005 root_at_oblivion.isux.com:/usr/obj/usr/src/sys/OBLIVION i386 FreeBSD stealth.sorbs.net 5.3-RELEASE-p8 FreeBSD 5.3-RELEASE-p8 #1: Fri Apr 15 15:31:30 EST 2005 root_at_stealth.sorbs.net:/usr/obj/usr/src/sys/STEALTH i386 FreeBSD desperado.sorbs.net 5.3-RELEASE-p9 FreeBSD 5.3-RELEASE-p9 #3: Fri Apr 15 15:29:29 EST 2005 root_at_desperado.sorbs.net:/usr/obj/usr/src/sys/DESPERADO amd64 Network is like this (view with fixed font): 10.200.254.98 ^ | wireless net | | 10.200.254.2 192.168.1.2 -----> wired LAN ----- 138.130.dynamic | | ^ 192.168.1.0/24 default | | | \|/ VPN _______|_____|___ | INTERNET | _____________|___ | | /|\ VPN | | 203.101.254.30 <----------- ^ | | VPN | | 203.101.254.254 /|\ 203.15.51.33 | ^ VPN | | default | route VPN Server | 203.101.254.252 | 203.15.51.61 | | ^ -----203.15.51.32/27------------- | | | | | | | 203.15.51.58 203.15.51.36 | | | | | | | -->Route for 10.200.254.0/24----------- and 192.168.1.0/24 I hope that makes sense ;-) Basically the current default route is the old firewall, it is being replaced by the server that is also the VPN server. The VPN terminator (stealth.sorbs.net) is going to be a firewall, however it isn't a firewall yet, therefor the current rules are a simple: pass in from any to any pass out from any to any (ipf enabled, ipfw not compiled in, pf not enabled) Follows is a tcpdump from the VPN terminator: root_at_stealth:~# tcpdump -i dc0 -n host 203.15.51.58 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on dc0, link-type EN10MB (Ethernet), capture size 96 bytes 21:29:41.026070 arp who-has 203.15.51.58 tell 203.15.51.36 21:29:46.454576 IP 10.200.254.98.33080 > 203.15.51.58.80: SWE 2722075077:2722075077(0) win 5840 <mss 1460,sackOK,timestamp 1028974 0,nop,wscale 0> 21:29:46.454705 IP 203.15.51.58.80 > 10.200.254.98.33080: S 1200777202:1200777202(0) ack 2722075078 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 367292134 1028974,nop,nop,sackOK> 21:29:46.495554 IP 10.200.254.98.33080 > 203.15.51.58.80: . ack 1 win 5840 <nop,nop,timestamp 1028979 367292134> 21:29:50.721228 IP 10.200.254.98.33080 > 203.15.51.58.80: P 1:17(16) ack 1 win 5840 <nop,nop,timestamp 1029400 367292134> 21:29:50.820112 IP 203.15.51.58.80 > 10.200.254.98.33080: . ack 17 win 33304 <nop,nop,timestamp 367296606 1029400> 21:29:50.863489 IP 10.200.254.98.33080 > 203.15.51.58.80: P 17:21(4) ack 1 win 5840 <nop,nop,timestamp 1029416 367296606> 21:29:50.865526 IP 203.15.51.58.80 > 10.200.254.98.33080: . 1:1449(1448) ack 21 win 33304 <nop,nop,timestamp 367296652 1029416> 21:29:50.865538 IP 203.15.51.58.80 > 10.200.254.98.33080: P 1449:1880(431) ack 21 win 33304 <nop,nop,timestamp 367296652 1029416> 21:29:50.865547 IP 203.15.51.58.80 > 10.200.254.98.33080: F 1880:1880(0) ack 21 win 33304 <nop,nop,timestamp 367296652 1029416> 21:29:50.866097 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 unreachable - need to frag 21:29:50.929844 IP 10.200.254.98.33080 > 203.15.51.58.80: . ack 1 win 5840 <nop,nop,timestamp 1029420 367296606,nop,nop,sack sack 1 {1449:1880} > 21:29:50.935786 IP 10.200.254.98.33080 > 203.15.51.58.80: . ack 1 win 5840 <nop,nop,timestamp 1029420 367296606,nop,nop,sack sack 1 {1449:1881} > 21:29:57.175022 IP 203.15.51.58.80 > 10.200.254.98.33080: . 1:1449(1448) ack 21 win 33304 <nop,nop,timestamp 367303115 1029420> 21:29:57.175148 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 unreachable - need to frag 21:30:09.595314 IP 203.15.51.58.80 > 10.200.254.98.33080: . 1:1449(1448) ack 21 win 33304 <nop,nop,timestamp 367315837 1029420> 21:30:09.595498 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 unreachable - need to frag 21:30:17.561779 IP 203.15.51.58.80 > 10.200.254.98.33072: . 4283830444:4283831892(1448) ack 2167167726 win 33304 <nop,nop,timestamp 367323997 985979> 21:30:17.561907 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 unreachable - need to frag 21:30:24.545302 IP 10.200.254.98.33080 > 203.15.51.58.80: P 21:23(2) ack 1 win 5840 <nop,nop,timestamp 1032783 367296606,nop,nop,sack sack 1 {1449:1881} > 21:30:24.545430 IP 203.15.51.58.80 > 10.200.254.98.33080: R 1200777203:1200777203(0) win 0 21:30:37.307121 IP 203.15.51.58.80 > 10.200.254.98.33073: . 3057749166:3057750614(1448) ack 2221689087 win 33304 <nop,nop,timestamp 367344222 980032> 21:30:37.307248 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 unreachable - need to frag ^C 25 packets captured 201 packets received by filter 0 packets dropped by kernel If you need it the interfaces on stealth are configured as follows: fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=8<VLAN_MTU> inet 203.101.254.252 netmask 0xffffff00 broadcast 203.101.254.255 inet6 fe80::290:27ff:fec2:4977%fxp0 prefixlen 64 scopeid 0x1 ether 00:90:27:c2:49:77 media: Ethernet autoselect (100baseTX <full-duplex>) status: active dc0: flags=108843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=8<VLAN_MTU> inet 203.15.51.61 netmask 0xffffffe0 broadcast 203.15.51.63 inet6 fe80::2a0:cff:fec0:cc23%dc0 prefixlen 64 scopeid 0x2 ether 00:a0:0c:c0:cc:23 media: Ethernet autoselect (100baseTX <full-duplex>) status: active plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 tunnel inet 203.101.254.252 --> 138.130.223.244 inet 203.15.51.61 --> 192.168.1.2 netmask 0xffffff00 inet6 fe80::290:27ff:fec2:4977%gif0 prefixlen 64 scopeid 0x5 IPv4 Routing table: Destination Gateway Flags Refs Use Netif Expire default 203.101.254.30 UGS 7 486813 fxp0 10.200.254/24 192.168.1.2 UGS 0 1239 gif0 127.0.0.1 127.0.0.1 UH 0 97 lo0 192.168.1 192.168.1.2 UGS 0 12666 gif0 192.168.1.2 203.15.51.61 UH 2 138 gif0 203.15.51.32/27 link#2 UC 0 0 dc0 203.15.51.33 00:00:e8:3d:c7:f2 UHLW 0 10887 dc0 1191 203.15.51.35 08:00:20:b2:58:e6 UHLW 0 6 dc0 802 203.15.51.36 00:0f:20:30:cd:f0 UHLW 0 14290 dc0 1064 203.15.51.38 02:00:06:e3:44:9a UHLW 0 48 dc0 690 203.15.51.41 02:00:06:e3:44:9a UHLW 0 48 dc0 154 203.15.51.42 02:00:06:e3:44:9a UHLW 0 12 dc0 692 203.15.51.51 08:00:20:b2:58:e6 UHLW 0 0 dc0 776 203.15.51.58 00:09:5b:09:de:2a UHLW 0 32 dc0 872 203.15.51.62 08:00:20:b2:58:e6 UHLW 0 216 dc0 137 203.101.254 link#1 UC 0 0 fxp0 203.101.254.30 00:d0:05:15:0c:0a UHLW 1 0 fxp0 1198 Sorry if it's too much info, if there is anything missing you need, just mail... Regards, -- Matthew Sullivan Specialist Systems Programmer Information Technology Services The University of Queensland
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:32 UTC