ipsec
Notes Come in Handy -> Dropped SSH Connections Over IPSEC at Docunext Technology
Dropped SSH Connections Over IPSEC at Docunext Technology" />
#header {
background-image: url("http://www.docunext.com/blog/wp-content/sites/wwwdocunextcom/2007-docunext-header.jpg");
}
#header h1 a, #header .description {
color: #ffffff;
}
Skip to content
Docunext Technology
Open Source Notes, Wiki, Forums. We Proudly Use Debian GNU/Linux
Blog
About
Gallery
Tools
« OpenVZ and Debian Javascript Security Implementations »
Notes Come in Handy -> Dropped SSH Connections Over IPSEC
Published by Albert on March 5, 2008 in Docunext, VPN and pfsense.
I just got FIOS at my office and I’m trying to debug a problem with a VPN I’ve setup between my office and my home.
http://www.docunext.com/blog/2007/06/17/soekris-net4501-m0n0wall-error/
“It is happening again.” (Fast forward to 4:33)
Darn it. I need to get to the bottom of this before it drives me crazy. Here’s a recap of what happens. I login to a shell through an IPSEC connection, type dmesg, and the connection dies. I connect through another machine through IPSEC, then connect through another IPSEC tunnel to the same machine as the first try, type dmesg, and it works fine.
Clear DF Bit
I’m trying to set the clear DF big instead of dropping it option in pfSense advanced.
Workaround for operating systems that generate fragmented packets with the don’t fragment (DF) bit set. Linux NFS is known to do this. This will cause the filter to not drop such packets but instead clear the don’t fragment bit. The filter will also randomize the IP identification field of outgoing packets with this option on, to compensate for operating systems that set the DF bit but set a zero IP identification header field.
The link I provided at first describes my attempts to fix this under m0n0wall, where I believe the problem was caused by my allowing fragmented ipsec packets. This option isn’t available in pfSense, so I’m trying some new techniques. Nope, that didn’t work.
sysctl?
I tried this:
sysctl -a | grep ipsec
to see if that would shed some light on the matter but not much:
$ sysctl -a | grep ipsec
ipsecpolicy 64 16K - 5578 256
ipsecrequest 4 1K - 20 128
ipsec-misc 24 1K - 132 32
ipsec-saq 0 0K - 6 128
ipsec-reg 3 1K - 6 16
net.inet.ipsec.def_policy: 1
net.inet.ipsec.esp_trans_deflev: 1
net.inet.ipsec.esp_net_deflev: 1
net.inet.ipsec.ah_trans_deflev: 1
net.inet.ipsec.ah_net_deflev: 1
net.inet.ipsec.ah_cleartos: 1
net.inet.ipsec.ah_offsetmask: 0
net.inet.ipsec.dfbit: 0
net.inet.ipsec.ecn: 0
net.inet.ipsec.debug: 0
net.inet.ipsec.esp_randpad: -1
net.inet.ipsec.crypto_support: 0
net.inet6.ipsec6.def_policy: 1
net.inet6.ipsec6.esp_trans_deflev: 1
net.inet6.ipsec6.esp_net_deflev: 1
net.inet6.ipsec6.ah_trans_deflev: 1
net.inet6.ipsec6.ah_net_deflev: 1
net.inet6.ipsec6.ecn: 0
net.inet6.ipsec6.debug: 0
net.inet6.ipsec6.esp_randpad: -1
Both machines have the same settings. Hmmm.
Aha! I just remembered I had some wacky tcp settings on the machine I was connecting to, I just commented them out of the sysctl.conf file, maybe that will fix it? Rebooting now…
#net.ipv4.tcp_fin_timeout = 30
#net.ipv4.tcp_timestamps = 0
#net.ipv4.tcp_keepalive_time = 1800
#net.ipv4.tcp_max_tw_buckets = 1440000
#net.ipv4.tcp_max_syn_backlog = 1024
#net.ipv4.tcp_syncookies = 1
#net.core.rmem_max = 16777216
#net.core.wmem_max = 16777216
#net.ipv4.tcp_mem = 4096 65536 16777216
#net.ipv4.tcp_rmem = 4096 87380 16777216
#net.ipv4.tcp_wmem = 4096 65536 16777216
#net.ipv4.tcp_no_metrics_save = 1
Nope, still happens.
Maximum Transmission Unit (MTU)
I just found this document about FreeSWAN, fragmented packets, and MTU and I was reminded of the advice shared by Chris B. and the pfSense / m0n0wall folks when I first ran into this problem. They recommended reducing the MTU, so I just tried doing that now, and it worked! In fact for whatever reason, by setting it to 1500 on both firewalls, the problem has gone away. Cool. Actually no I have to take that back, after changing to 1500 and re-logging in, the problem persisted, however I just found this on Verizon’s network:
MTU (Maximum Transmission Units) - The MTU defines the largest single unit of data that can be transmitted over your connection. The FiOS network requires an MTU of 1492 bytes.
So in a nutshell, I believe that the 1492 MTU minus the IPSEC headers would equal the MTU I need to set as the WAN device connected to FIOS. I don’t know what size those headers are, and I believe they vary depending upon the encryption type and IPSEC configuration, so I’m going to go with 1400 as a safe bet.
1 Response to “Notes Come in Handy -> Dropped SSH Connections Over IPSEC”
Feed for this Entry
Trackback Address
1
Albert
Mar 26th, 2008 at 3:43 pm
This also happened when I have the PF Scrubbing disabled.
Leave a Reply
Name (required)
Mail (will not be published) (required)
Website
Currently you have JavaScript disabled. In order to post comments, please make sure JavaScript and Cookies are enabled, and reload the page.
« OpenVZ and Debian Javascript Security Implementations »
Related Posts
pfSense IPSec with Mac OS X Clientsconditional operator !VaporSec Notes for PosterityFailover Route SetupMySQL Sockets versus NetworkUbuntu IPSecDebian and m0n0wall VPNpfSense local load balancer
Latest Comments RSS
Matt Newcombe on the post FreeNAS and ZFS
More To-Do’s at Docunext Technology on the post Trying out check_policy_service inet:127.0.0.1:2525
Gary on the post D201GLY Intel’s Little Valley Mini-ITX Board
Christian Jensen on the post Debian Dimensions
Resizing Filesystems at Docunext Technology on the post My Practices with OpenVZ
Infrastructure Tasks at Docunext Technology on the post To-Do List: Bacula and LDAP
More Website Spam Defenses with Apache at Docunext Technology on the post Server Based Comment Spam Protection
Albert on the post FreeNAS and ZFS
Joe Little on the post FreeNAS and ZFS
Albert on the post Geode AES + OCF + Cryptodev + OpenSSL
Latest Posts RSS
Web Management Notes
Trac Mercurial
Apache Log MySQL
Lenny Courier Woes
Gnash Testing
dbmail, mysql-proxy and ldap
Webmin
More To-Do’s
The Obvious, Obfuscated
Request Tracker 3.6
Links
Blogroll
Command Line Warriors
Debian Administration
Docunext Forums
Docunext Wiki
Green Computing Wiki
Informed Banking Blog
Informed Gaming Forums
Informed Licensing
My Tech Deals
NeoCarz
PBooks Open Source Accounting
Planet Docunext
Russell Coker
Telecom Rebirth
Intellectual Property
Creative Commons
Informed Licensing
Web Hosting
TCP Treason Uncloaked
Monthly Archive
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
January 2006
August 2005
July 2005
June 2005
May 2005
April 2005
January 2005
December 2004
November 2004
October 2004
May 2004
February 2004
December 2003
November 2003
October 2003
September 2003
February 2003
Entries Feed and Comments Feed
разделы
промывка инжектор
ваза 2112
ковры резиновый
бензопила dolmar
комплексный сайт
кристофер брэнд
neri karra кожгалантерея
изделие слойка
паркетный лак
бюджетирование
лечение зарубежом
ротационный rvg
головка винторезный
передвижной сварочный агрегат
передвижной сварочный агрегат
имплантат
ферромолибден
тонировка стекол
международный конкурс
багетный мастерский
доставка санкт
изолента
кострома коммерческий
холодильный агрегат
резка
проведение лотерея
доломит
гелусил лак
купить букмекерский линия
узи
антиобледенительные система
купить ниппель
зона ограничение доступ
волосовский доломит
тонировка стекол
пассажирский лифт
штанга насосный
арочный конструкция
lucent definity
антенна акустомагнитные
промышленный аккумулятор
холодный обзвон
обогащение кислородом
долг
мистер бин
эрозия шейка матка
поставка тройник перех
грунт
длинный нард
билет мхат
подбор эмаль
восстановление бухучета
купить раструб
обрезание
вымпел заказ
юр.адрес
травертин
организовать рассылка
акриловый вставка вкладыш
флагшток внутренний использование
классический аэробика
электросчетчик гамма
кострома жилье
трехмерный презентация
thuraya sg 2510
электропечь dimplex model elba
флажок настольный
пекарня
асбест
электрокамин dimplex model silver (sp4)
sky link
втулка переходный
черный кофе
icq купить
автоподъемник
флагшток банерного флаг
купить электрооткрывалку
белый кофе
lida
сервис alfa laval
купить усилитель
купить ниппель радиат
короткий нард скачать бесплатный
вымпел заказ
срезанный цвет
автобетононасосы
подготовка ielts
конкурентный анализ
certification microsoft
вымпел заказ
тач-скрин монитор
бак накопитель
мусорный пакет
нард онлайн
доставка суша
кислотостойкий краска
морозильный ларь
обед
нужен фотограф
nokia 6021 купить
1с бюджетирование
кс-4361а
компания макса линдера
sharp ar-5415
купля производственный комплекс
купить ножовка
брусок алмазный
электрический прочность
контакт контактор
промальп
ароматный мир
анкетирование
sharp ar-5415
кострома коммерческий
международный конкурс дебютант
бахила производитель
стелаж пищеблок
флюоресцентный краска
продажа кофе
враждебный поглощение
швейцария культура
скс
комплексный сайт
альтернативный медицина
флаг заказ
масло облепих.концентрат
ipsec