[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ipsec-bridge. which size for mtu?



Hi list,

I've made some experiments with ipsec-bridges using gif-interfaces 
like the explained example in man brconfig.
Everything went fine, but sometimes some errors occur.

This is my setup:
Two boxes, both are running 3.7 generic.
Both boxes are connected two the i-net with adsl-modems
with dynamic ip's. I wrote a little script which is started
by cron periodical.

 -----------------   ------------   ---------------
 |192.168.10.0/24|___| obsd 3.7 |___| adsl -modem |________
 |  network      |   |   box1   |   ---------------        |
 -----------------   ------------  			   |
					                ---------
							| I-NET |
							---------
							   |
 ----------------   ------------   ---------------         |
 |192.168.10.0/24|___| obsd 3.7 |___| adsl -modem |________|
 |  network      |   |   box2   |   ---------------        
 -----------------   ------------  									   
 The problem ist, that somtimes the two boxes cant ping each other
 whereas the clients in the two subnets can ping each other without
 any probs.

 In my opinion, there is an issue with the mtu. Look at this dump:

----<snip>----
# tcpdump -nqei gif0 (on box1)
tcpdump: WARNING: gif0: no IPv4 address assigned
tcpdump: listening on gif0, link-type NULL
02:03:31.551923 bad-hlen 0
02:03:33.682957 bad-hlen 0
02:03:34.693290 bad-hlen 0
02:03:35.703223 bad-hlen 0
----<snip>----

and in /var/log/messages i found this

----<snip>----
/bsd: pf_test6: kif == NULL, if_xname gif0
/bsd: pf_test6: kif == NULL, if_xname gif0
Sep 14 01:50:42 blackhole last message repeated 4 times
Sep 14 01:57:43 blackhole last message repeated 14 times
----<snip>----



root_(_at_)_pluto root # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
sis0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
        address: 00:00:24:c2:bf:44
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
        inet6 fe80::200:24ff:fec2:bf44%sis0 prefixlen 64 scopeid 0x1
sis1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        address: 00:00:24:c2:bf:45
        media: Ethernet autoselect (none)
        status: no carrier
sis2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:00:24:c2:bf:46
        media: Ethernet autoselect (10baseT)
        status: active
        inet6 fe80::200:24ff:fec2:bf46%sis2 prefixlen 64 scopeid 0x3
pflog0: flags=0<> mtu 33224
pfsync0: flags=0<> mtu 2020
enc0: flags=0<> mtu 1536
tun0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1492
        inet xxx.xxx.xxx.xxx --> xxx.xxx.xxx.xxx netmask 0xffffffff
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        physical address inet xxx.xxx.xxx.xxx --> xxx.xxx.xxx.xxx.xxx
        inet6 fe80::200:24ff:fec2:bf44%gif0 ->  prefixlen 64 scopeid
0xd6
bridge0: flags=41<UP,RUNNING> mtu 1500
tun1: flags=9902<BROADCAST,PROMISC,SIMPLEX,LINK0,MULTICAST> mtu 1500
        address: 00:bd:40:58:a3:02

root_(_at_)_pluto root # brconfig bridge0
bridge0: flags=41<UP,RUNNING>
        Configuration:
                priority 32768 hellotime 2 fwddelay 15 maxage 20
        Interfaces:
                tun1 flags=3<LEARNING,DISCOVER>
                        port 8 ifpriority 128 ifcost 55
                sis0 flags=3<LEARNING,DISCOVER>
                        port 1 ifpriority 128 ifcost 55
                gif0 flags=3<LEARNING,DISCOVER>
                        port 6 ifpriority 128 ifcost 55
        Addresses (max cache: 100, timeout: 240):
                00:50:22:40:14:67 gif0 1 flags=0<>
                00:00:24:c3:d1:f0 gif0 1 flags=0<>




root_(_at_)_pluto root # ipsecadm show:
sadb_dump: satype esp vers 2 len 22 seq 0 pid 0
        errno 188: Unknown error: 188
        sa: spi 0x00004243 auth hmac-sha1 enc 3des-cbc
                state larval replay 0 flags 0
        lifetime_cur: alloc 0 bytes 0 add 1126656785 first 0
        address_src: xxx.xxx.xxx.xxx
        address_dst: xxx.xxx.xxx.xxx
        key_auth: bits 160: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        key_encrypt: bits 192: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sadb_dump: satype esp vers 2 len 22 seq 0 pid 0
        errno 188: Unknown error: 188
        sa: spi 0x00004242 auth hmac-sha1 enc 3des-cbc
                state larval replay 0 flags 0
        lifetime_cur: alloc 0 bytes 0 add 1126656785 first 0
        address_src: xxx.xxx.xxx.xxx
        address_dst: xxx.xxx.xxx.xxx
        key_auth: bits 160: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        key_encrypt: bits 192: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



So is there anybody out with an solution for this probs


Thanks in advance.