[ previous ] [ next ] [ threads ]
 
 From:  "Jai Ketteridge" <jai at vtn dot net dot au>
 To:  "'Steve Thomas'" <sthomas at consultant dot com>, "'M0n0wall'" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPSEC NAT-T VPN: Bad Packet Fragmentation Causing Headaches!
 Date:  Thu, 18 Jan 2007 00:15:30 +0900 
Ive set the ADSL modem down to as low as 580bytes and also used ifconfig
fxp0 mtu 580 on exec.php to lower the MTU of the WAN port on the mono but to
no avail aswell. 
 
Can anyone tell me what the  (frag 1084:60@1480) means? THis is what i get
alot of as soon as i try to remote desktop or fileshare.

2007-01-17 23:52:32 Local0.Warning firewall-au Jan 17 22:56:42 ipmon[109]:
22:56:41.930417 ng0 @200:4 b xxxx   xxxx PR udp len 20 (80) (frag
1084:60@1480) IN bad
2007-01-17 23:52:32 Local0.Warning firewall-au Jan 17 22:56:42 ipmon[109]:
22:56:41.965147 ng0 @200:4 b xxxx -> xxxx PR udp len 20 (80) (frag
1086:60@1480) IN bad
2007-01-17 23:52:32 Local0.Warning firewall-au Jan 17 22:56:42 ipmon[109]:
22:56:42.002344 ng0 @200:4 b xxxx -> xxxx PR udp len 20 (80) (frag
1088:60@1480) IN bad
2007-01-17 23:52:32 Local0.Warning firewall-au Jan 17 22:56:42 ipmon[109]:
22:56:42.222107 ng0 @200:4 b xxxx -> xxxx PR udp len 20 (80) (frag
1092:60@1480) IN bad
2007-01-17 23:52:32 Local0.Warning firewall-au Jan 17 22:56:42 ipmon[109]:
22:56:42.250937 ng0 @200:4 b xxxx -> xxxx PR udp len 20 (80) (frag
1093:60@1480) K-S K-F IN bad
2007-01-17 23:52:33 Local0.Warning firewall-au Jan 17 22:56:43 ipmon[109]:
22:56:42.878258 ng0 @200:4 b xxxx -> xxxx PR udp len20 (80) (frag
1098:60@1480) IN bad
2007-01-17 23:52:34 Local0.Warning firewall-au Jan 17 22:56:44 ipmon[109]:
22:56:44.287497 ng0 @200:4 b xxxx -> xxxx PR udp len 20 (80) (frag
1111:60@1480) IN bad
2007-01-17 23:52:37 Local0.Warning firewall-au Jan 17 22:56:47 ipmon[109]:
22:56:47.105056 ng0 @200:4 b xxxx -> xxxx PR udp len 20 (80) (frag
1115:60@1480) IN bad
2007-01-17 23:52:42 Local0.Warning firewall-au Jan 17 22:56:52 ipmon[109]:
22:56:52.737496 ng0 @200:4 b xxxx -> xxxx PR udp len 20 (80) (frag
1117:60@1480) IN bad
2007-01-17 23:52:54 Local0.Warning firewall-au Jan 17 22:57:04 ipmon[109]:
22:57:03.902061 ng0 @200:4 b xxxx -> xxxx PR udp len 20 (80) (frag
1123:60@1480) IN bad
 
One thing to note is that the firewall logs are coming from the machine that
is originating the RDP connection to another PC on the other lan segment.
This same firewall also has successful vpn links to my house which passes
over 1GB of windows traffic a day without issue - and is fast to lookup
windows shares etc. 
 
Perhaps this "good" side needs MTU adjustment instead? 


Thanks
Jai

  _____  

From: Steve Thomas [mailto:sthomas at consultant dot com] 
Sent: Wednesday, 17 January 2007 5:27 PM
To: Jai Ketteridge; M0n0wall
Subject: Re: [m0n0wall] IPSEC NAT-T VPN: Bad Packet Fragmentation Causing
Headaches!


>>Or could this be an MTU issue?

That's the first thing I thought of.
I'd try a very low MTU and see if the traffic passes ok.



----- Original Message -----
From: "Jai Ketteridge" 
To: "M0n0wall" 
Subject: [m0n0wall] IPSEC NAT-T VPN: Bad Packet Fragmentation Causing
Headaches!
Date: Wed, 17 Jan 2007 12:05:40 +0900


Hi Everyone

I currently have an IPSEC site to site VPN setup between two 1.3b2 m0n0s and
it connects ok using NAT-T UDP 4500 and I can ping to each side of the VPN
and client PCs on either side. My problem comes across when I want to remote
desktop or to do windows file sharing and that sort of thing (or infact PPTP
from inside one Lan to connect to the FQDN of the VPN server on the other
end) that I notice alot of fragmentation?. Im not too much of a guru on the
ipfilter but here is a screenshot of my syslog from one side.
http://www.vtn.net.au/private/mono/firewall-log.jpg

My Network layout is like this
Singapore:
Dlink DSL604T IPOA Static IP and LAN 192.168.1.1 - "DMZ" Feature Set on
Modem to direct ALL traffic to 192.168.1.254 -> Mono's WAN 192.168.1.254 ,
Mono's LAN 10.1.0.1

Perth:
Linksys ADSL Modem in Bridge Mode, Monowall handling PPPOE - Mono's WAN is
ISP IP Address, Mono LAN 10.0.0.1

To try and combat this I have enabled IPSEC packet fragmentation on both
sides and made firewall rules at both ends for all UDP traffic to be allowed
fragmented. Basically this happens alot and makes the link almost useless. I
cannot figure out what else to do, except that perhaps the DLink is causing
these issues. I dont think I can run non NAT-T because NAT is enabled on the
DLINK to allow the DMZ to work.

Another option I have in the DLink is to run a virtual server, and forward
ESP, GRE, UDP 500 and UDP 4500 to the IP of the mono, however I havent
managed to get that to work correctly yet. (would NAT still need to be
enabled for that?). Or could this be an MTU issue?

Im willing to let someone take a look at all my configs as its really doing
my head in!

Thanks!
JK