Announcement

Collapse
No announcement yet.

Ipsec MTU: tcpdump vs pmtu 1446 (Tunnel 3des/md5-96) lost of 4 Bytes !

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ipsec MTU: tcpdump vs pmtu 1446 (Tunnel 3des/md5-96) lost of 4 Bytes !

    Hi,
    I'm trying to understand why the MTU in my test tunnel is 1446, between a cisco and a linux. (I have the same between two ciscos).
    I have done tcpdump -E and use RFCs to identify each byte in the trace, so can't understand why the pmtu is 4 bytes lower than I expect.
    (I see on the net lot of different number but without any explanations).

    The 3des seems to use an IV size of simple DES, I do a lot of dump to verify the identification of padding (size of the ping), switch to aes to verify the bytes identifications.

    Does the tcpdump -E erase the Auth Pad, a another thing, I'm must miss something but what ????

    My interpretation: (Mode Tunnel: 3des/md5-96)
    MTU IP SPI SN IV Data Pad PL NH AUTH
    1500 -20 -4 -4 -( 8 x ) -0 -1 -1 -12 = 1450

    The PMTU from a "ping -M do -s 1472" give me 1446, why !?
    (And no i don't use GRE).

    Best regards

    Vincent Tamet.
    OSG[PCQ]

    PS:
    Code:
    -----------------------------------------------------------------------------
    * ping 192.168.3.1 -c 1 -s 2
    17:25:56.555463   00:06:5b:8a:a4:2b > 00:24:14:d9:f1:90, ethertype IPv4 (0x0800),   length 44: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP  (1),  length 30)
        192.168.2.5 > 192.168.3.1: ICMP echo request, id 46448, seq 1, length 10
            0x0000:  4500 001e 0000 4000 4001 b488 c0a8 0205  [email protected]@.......
            0x0010:  c0a8 0301 0800 428d b570 0001 0001       ......B..p....
    -----------------------------------------------------------------------------
    16:25:59.221603   08:1f:f3:e7:0e:65 > 00:23:7d:fd:bb:04, ethertype IPv4 (0x0800),   length 94: (tos 0x0, ttl 253, id 1992, offset 0, flags [DF], proto ESP   (50), length 80) xx.xx.1.136 > 10.0.0.2:  ESP(spi=0xdb14b228,seq=0x8),  length 60
            0x0000:  4500 0050 07c8 4000 fd32 19cc 505e 0188  [email protected]^..
            0x0010:  0a00 0002 db14 b228 0000 0008 5957 445a  .......(....YWDZ
            0x0020:  5dcd 42b4 4500 001e 0000 4000 3f01 b588  ][email protected]?...
            0x0030:  c0a8 0205 c0a8 0301 0800 428d b570 0001  ..........B..p..
            0x0040:  0001 0004 58c2 f376 69fa ede5 2584 f199  ....X..vi...%...
    -----------------------------------------------------------------------------

  • #2
    Re: Ipsec MTU: tcpdump vs pmtu 1446 (Tunnel 3des/md5-96) lost of 4 Bytes !

    I can't answer your question, but this is one topic that drove me nuts a few years back!! I hate it when 2+2 does NOT equal 4.

    As a frame of reference, I created site-2-site VPN test scenarios in a lab environment, but soon found out these MTU settings did not work in our production environment (ASA -> IOS). So based on project timelines, I just ended up reverse engineering MTU settings by sending different size ping packets from corporate LAN (using a linux box) towards the IOS based VPN endpoint (Site-2-Site). Then using "show ip virtual-reassembly" output on the remote end I would look at "Total reassembly count" field to come up with a MTU that worked. If the reassembly count field incremented, then I would decrease the size by 10 until it no longer incremented. In my case, the magic number was 1426, not 1446.

    Don't know if you have read this link It's based on GRE/IPSEC in transport mode, but I found certain sections of this link very informative.

    Good luck!

    Comment


    • #3
      Re: Ipsec MTU: tcpdump vs pmtu 1446 (Tunnel 3des/md5-96) lost of 4 Bytes !

      Well I post this in a cisco support forum thread 2067814 and wzhang gave me the solution:

      Here my answer to his post, for now a can't be able to do all the tcpdump (due to a frag problem, tought is a cisco frag bug), but anyway for me is full of sense.



      I test with a ping -c 1 -s 1418 192.168.2.5

      Code:
      Encapsulating Security Payload (Tunnel Mode)
       IP Tunnel header                                           20
       ESP Header
          Security Parameters Index   [SPI]                        4
          Sequence Number                                          4
       Payload data                                 (variable)
          Initialization Vector       [IV]  IOS ESP-DES-3DES       8
          Data                                      (Variable)  1446
               IP Origin header                                               20
               ICMP Header                                                     8
               Data                                                         1418
          Padding Encrypt     IOS ESP-DES-3DES (variable 0->7)     0
       ESP Trailer
          Pad Length                               8 bits          1
          Next Header                              8 bits          1
       ESP Authentication Data                   (Variable x4?)
          Integrity Check Value       [ICV] ESP MD5 96 digest     12
          Padding Auth                              0
                                                               -------
                                                                1496 < 1500
      I use this to compute the pad:8+(1446)+1+1= 1456
      1456/8 = 182.00
      1456-(182*8 ) = 0 so without padding




      If we calcul for a ping -c 1 -s 1419 192.168.2.5
      Code:
      Encapsulating Security Payload (Tunnel Mode)
       IP Tunnel header                                           20
       ESP Header
          Security Parameters Index   [SPI]                        4
          Sequence Number                                          4
       Payload data                                 (variable)
          Initialization Vector       [IV]  IOS ESP-DES-3DES       8
          Data                                      (Variable)  1447
               IP Origin header                                               20
               ICMP Header                                                     8
               Data                                                         1419
          Padding Encrypt     IOS ESP-DES-3DES (variable 0->7)     7
       ESP Trailer
          Pad Length                               8 bits          1
          Next Header                              8 bits          1
       ESP Authentication Data                   (Variable x4?)
          Integrity Check Value       [ICV] ESP MD5 96 digest     12
          Padding Auth                              0
                                                               -------
                                                                1504 > 1500
      And for the pad:
      8+(1447)+1+1= 1457 1457/8 = 182.12 1457-(182*8 ) = 1 If not =0 we need to calcul the padding 8-1=7
      Is this case the mtu is upper 1500 !


      Wish this could helper.
      Last edited by biggles77; 28th March 2011, 17:49. Reason: Fix the 8) smilie issue

      Comment

      Working...
      X