VPN and icmp
tbird at PRECISION-GUESSWORK.COM
Fri Aug 18 19:10:59 EDT 2000
Hi Neil --
We've been struggling with this in our Cisco implementation
too. Rumour has it that IOS version 12.1.1(2) fixes the
problem. But I'm including the directions given by our
local UNIX guru to set Path MTU discovery on Solaris and NT 4.0.
Note that I haven't tested this and I take no credit or
responsibility for breaking things ;-) I'll post this to
the How-To page on the Web site, too.
cheers -- tbird
As root, type:
/usr/sbin/ndd -set /dev/ip ip_path_mtu_discovery 0
This should be added to /etc/init.d/nddsettings or somesuch to make it
happen at boot time.
On NT 4.0:
1) Boot the machine and log in as a user with local administrative
2) Start --> Run --> command
4) cd WINNT
6) Select the HKEY_LOCAL_MACHINE window.
7) Expand "SYSTEM"
8) Expand "CurrentControlSet"
9) Expand "Services"
10) Expand "tcpip"
11) Select "parameters" (make sure it is highlighted)
12) From the "Edit" menu, select "Add Value..."
13) For the "Value Name", type "EnablePMTUDiscovery" (case sensitive).
14) On the "Data Type" drop-down, select "REG_DWORD" and click OK.
15) In the "Data" input area, type "0" (the digit zero).
16) It shouldn't matter which radix you choose, but I select Decimal out
17) Click OK
18) From the "Registry" menu, select "Exit"
19) Reboot the workstation
On Wed, 16 Aug 2000, Neil Ratzlaff wrote:
> Date: Wed, 16 Aug 2000 16:17:28 -0700
> From: Neil Ratzlaff <neil.ratzlaff at UCOP.EDU>
> To: VPN at SECURITYFOCUS.COM
> Subject: VPN and icmp
> We recently tried to set up a Cisco VPN with some NT servers at our end,
> the other end had Windows something. Parts of it worked and parts didn't,
> and we eventually found the cause to be the close Cisco router sending icmp
> type 3 code 4 packets back to the NT machines. The packets from NT had the
> 'Don't Fragment' bit set, and Cisco couldn't encrypt them and still fit
> them under the packet size limit. I suggested the NT owners stop setting
> the Don't Fragment bit, and they said there was no way to do that. They
> also cited RFC 1853:
> 3.1. Tunnel MTU Discovery
> When the Don't Fragment bit is set by the originator and copied into
> the outer IP header, the proper MTU of the tunnel will be learned
> from ICMP (Type 3 Code 4) "Datagram Too Big" errors reported to the
> encapsulator. To support originating hosts which use this
> capability, all implementations MUST support Path MTU Discovery
> [RFC-1191, RFC-1435] within their tunnels.
> So.... questions:
> 1. Can NT stop setting the Don't Fragment bit, and if so, how?
> 2. What is the best way to deal with this situation?
> VPN is sponsored by SecurityFocus.COM
VPN is sponsored by SecurityFocus.COM
More information about the VPN