1- to -1 NAT and IPsec Tunnels

Ronald Ng rng at NETSCREEN.COM
Mon Dec 13 14:38:36 EST 1999 

I stand corrected.  I think the reason I've been seeing this is due to
the application end of things.  Thanks.

Steve Goldhaber wrote:
>
> On Sun, 12 Dec 1999, Ronald Ng wrote:
>
> > Date: Sun, 12 Dec 1999 21:22:44 -0800
> > From: Ronald Ng <rng at NETSCREEN.COM>
> > To: VPN at SECURITYFOCUS.COM
> > Subject: Re: 1- to -1 NAT and IPsec Tunnels
> >
> > All IPSec packets should be fragmented, I would think.  There is not enough
> > room in the packet for it not to be fragmented.  The firewall just needs to
> > make sure it doesn't do a tear drop, which is the overlap condition you
> > described.
>
> First, only large packets are ever subject to fragmentation. For large
> packets, there are a couple of different scenarios:
>
> 1) The packet is sent to the IPSec system (internal stack or IPSec
> gateway) without the DF-bit set. In this case, the IPSec system can
> fragment the packet and protect each fragment. For IPSec transport mode
> (typical in host-to-host IPSec connections), this results in two IP
> fragments which need to get through whatever fragment filters you have.
> For tunnel mode (required for host-to-gateway or gateway-to-gateway
> connections), the resulting two packets are *not* IP fragments, but
> regular IPSec IP packets.
>
> 2) If the packet gets to the IPSec system with the DF-bit set (e.g., most
> FTP servers), the IPSec system is supposed to send an ICMP error message
> back to the originating server. A well-behaved server will then resend the
> data in smaller packets which do not need fragmentation. At this point,
> each data packet gets sent in one IPSec packet with no fragmentation going
> on at all.
>
> So the upshot is that it is usually possible to avoid fragmentation
> problems. If some things work while others seem to have problems, check
> the servers for the applications that don't work, they may need updating.
> For a while, there were many web servers which didn't handle the "lower
> your MTU" ICMP messages described in item 2 above. Updated server code
> should fix most of your problems. You may also need to fiddle a bit with
> the settings on your IPSec boxes to make sure they handle things
> correctly.
>
> Steve Goldhaber                 goldy at compatible.com
> Compatible Systems Corp.        (303) 444-9532         www.compatible.com
>
> VPN is sponsored by SecurityFocus.COM

--
Ronald Ng
rng at netscreen.com

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list