Certain size packets not passing through a L2 over L3 IPsec tunnel

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Certain size packets not passing through a L2 over L3 IPsec tunnel

Russell Sutherland
I've set up a L2overL3 tunnel using the template as found in "man etherip". I am running OpenBSD 5.9, which I believe is the first version to support the etherip interface.

I find the bridge/tunnel does not pass a small range of specific sized packets.

E.g. if 1.2.3.4 is at the far end of the tunnel and I am pinging from the local end:

ping -s 1388 1.2.3.4 works
ping -s 1396 1.2.3.4 works

All other sizes, 1389 to 1395 inclusive fail.

Is there some way to remedy this?


Thanks in advance.

Russell P. Sutherland           Email: russell . sutherland @ utoronto dawt ca
Network Engineer, I+TS       Voice: +1.416.978.0470
4 Bancroft Ave., Rm. 102      Cell: +1.416.803.0080
University of Toronto            Fax:   +1.416.978.6620
Toronto, ON  M5S 1C1
Reply | Threaded
Open this post in threaded view
|

Re: Certain size packets not passing through a L2 over L3 IPsec tunnel

Daniel Ouellet
On 10/10/19 4:25 PM, Russell Sutherland wrote:

> I've set up a L2overL3 tunnel using the template as found in "man etherip". I am running OpenBSD 5.9, which I believe is the first version to support the etherip interface.
>
> I find the bridge/tunnel does not pass a small range of specific sized packets.
>
> E.g. if 1.2.3.4 is at the far end of the tunnel and I am pinging from the local end:
>
> ping -s 1388 1.2.3.4 works
> ping -s 1396 1.2.3.4 works
>
> All other sizes, 1389 to 1395 inclusive fail.
>
> Is there some way to remedy this?

Just a friendly advice here. I am almost sure you will not get an answer
on this as 5.9 is pretty old and not supported anymore for a few years now.

We are at 6.5 and may be one week or two max to the release at 6.6

I would try 6.6 first and see how it works for you.

There have been a truck load of changes from the 5.9

Hope this help you some even if that doesn't answer your question.

However the suggestion is very valid.

Daniel

Reply | Threaded
Open this post in threaded view
|

Re: Certain size packets not passing through a L2 over L3 IPsec tunnel

Russell Sutherland
In reply to this post by Russell Sutherland
Ok... I've updated both ends of the tunnel to OpenBSD 6.5 and the same problem exists when trying to pass packets of a certain size.

Any ideas on how to fix or work around this issue?

Thanks in advance.

Russell P. Sutherland           Email: russell . sutherland @ utoronto dawt ca
Network Engineer, I+TS       Voice: +1.416.978.0470
4 Bancroft Ave., Rm. 102      Cell: +1.416.803.0080
University of Toronto            Fax:   +1.416.978.6620
Toronto, ON  M5S 1C1
________________________________
From: Russell Sutherland
Sent: Thursday, October 10, 2019 16:25
To: [hidden email] <[hidden email]>
Subject: Certain size packets not passing through a L2 over L3 IPsec tunnel

I've set up a L2overL3 tunnel using the template as found in "man etherip". I am running OpenBSD 5.9, which I believe is the first version to support the etherip interface.

I find the bridge/tunnel does not pass a small range of specific sized packets.

E.g. if 1.2.3.4 is at the far end of the tunnel and I am pinging from the local end:

ping -s 1388 1.2.3.4 works
ping -s 1396 1.2.3.4 works

All other sizes, 1389 to 1395 inclusive fail.

Is there some way to remedy this?


Thanks in advance.

Russell P. Sutherland           Email: russell . sutherland @ utoronto dawt ca
Network Engineer, I+TS       Voice: +1.416.978.0470
4 Bancroft Ave., Rm. 102      Cell: +1.416.803.0080
University of Toronto            Fax:   +1.416.978.6620
Toronto, ON  M5S 1C1
Reply | Threaded
Open this post in threaded view
|

Re: Certain size packets not passing through a L2 over L3 IPsec tunnel

Stuart Henderson
In reply to this post by Russell Sutherland
On 2019-10-10, Russell Sutherland <[hidden email]> wrote:

> I've set up a L2overL3 tunnel using the template as found in "man etherip". I am running OpenBSD 5.9, which I believe is the first version to support the etherip interface.
>
> I find the bridge/tunnel does not pass a small range of specific sized packets.
>
> E.g. if 1.2.3.4 is at the far end of the tunnel and I am pinging from the local end:
>
> ping -s 1388 1.2.3.4 works
> ping -s 1396 1.2.3.4 works
>
> All other sizes, 1389 to 1395 inclusive fail.
>
> Is there some way to remedy this?

If you have different MTUs each side (e.g. common if one end uses pppoe),
or if there is a link between the two tunnel endpoints with restricted MTU
(which you might not notice for TCP connections because it may rewrite the
MSS value), then reduce MTU on the endpoints to the lowest common denominator.