current-users: Re: IPSEC-related fragmentation issue?

Subject: Re: IPSEC-related fragmentation issue?
To: None <current-users@netbsd.org>
From: Arto Selonen <arto@selonen.org>
List: current-users
Date: 03/31/2004 17:31:31
Hi!

Continuing with this evolving trend of following up my own posts,
here is yet another update of the problem. I also failed to mention
that A (see below) is really yet another gateway, and some of the
connections were made from behind that one, and those are the ones that
fail totally. Connections from A merely have a starting delay.

On Wed, 31 Mar 2004, Arto Selonen wrote:

> > I have the following type of situation:
> >
> > 	A(ep0) <-->IPSEC--> (fxp0)GW(fxp1) <-->plain--> (fxp0)B

Or it can also be seen as:

  H <->plain<->(ex0)A(ep0) <->IPSEC<-> (fxp0)GW(fxp1) <->plain<-> (fxp0)B

When SSH connections (or other TCP sessions; haven't played with UDP etc yet)
are made from H to B, it fails as soon as B responds with any large
packet with DF. Eventually, GW send it "icmp: ip reassembly time exceeded"
but that's it. These connections also worked flawlessly before the GW
upgrade.

Here is the full description of configured steps between H and B.
What I'd like to know is whether this setup was bound to stop working
once involved hosts started working properly, or whether something
broke in GW due to the OS upgrade, causing the previously working
setup to fail.

	H)	- internal host in home network (Windows in this case)
		- 192.168/16 address
		- using ex0@A as default gateway

	A)	- NetBSD-current from ~Dec04
		- ex0 connected to internal network with 192.168/16
		- ep0 connected to Internet with public addr
		- gif -interface with:
		  tunnel inet H.e.p.0 --> G.W.X.0
		  inet 10.0.0.2 -> 10.0.0.1 netmask 0xfffffffc
		- static route: 10.0.0.1 as gateway to fxp1@GW
		- NAT rules for 192.168/16 on ep0
		  (should not be used for H->B since traffic should use
		  gif and then IPSEC?)
		- transport mode IPSEC for A/GW using ESP+AH

	GW)	- NetBSD-current upgraded from ~Feb25 to ~Mar29
		- public IP on both fxp:
		  fxp0 as G.W.X.0 and fxp1 as G.W.Y.1/24
		- gif -interface with:
		  tunnel inet G.W.X.0 --> H.e.p.0
		  inet 10.0.0.1 -> 10.0.0.2 netmask 0xfffffffc
		- static route: 10.0.0.2 as gateway to ex0@A
		- NAT rules for 192.168/16 and 10/8 on fxp1
		- transport mode IPSEC for GW/A using ESP+AH

	B)	- NetBSD-current from ~Mar01
		- public IP on fxp0, in same network as fxp1@GW
		- using fxp1@GW as default gateway

And once more: H->B stops after B responds with largish packet
(with icmp: ip reassembly time exceeded), A->B works after ~10sec initial
delay (after icmp: host unreachable - need to frag). Before GW upgrade no
delays or problems observed. What needs to be fixed?


Artsi
-- 
#######======------  http://www.selonen.org/arto/  --------========########
Everstinkuja 5 B 35                               Don't mind doing it.
FIN-02600 Espoo        arto@selonen.org         Don't mind not doing it.
Finland              tel +358 50 560 4826     Don't know anything about it.