[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: isakmpd and icmp dependencies

To: "'Hakan Olsson'" <ho@rfc.se>, Todd Boyer <TBoyer@smcteam.com>
Subject: Re: isakmpd and icmp dependencies
From: Todd Boyer <TBoyer@smcteam.com>
Date: Mon, 8 Sep 2003 11:56:29 -0400
Cc: "'misc@openbsd.org'" <misc@openbsd.org>

Thanks for the reply.  I've set net.inet.ip.mtudisc = 0 and lowered the MTU
to 1400.  Still no luck.  netstat -rn shows all established links, "ipsecadm
show" shows all negotiations and looks fine.  My configuration worked
perfect until my upstream provider blew away icmp responses including type 3
unreachable.  UDP 500 and IP 50 are open and obviously are enabled or the
original negotiations would fail.  PPTP is failing from clients behind the
icmp disabled router too.  PPTP worked too before the lock down.  Any other
ideas?   

>From peer behind icmp disabled router:
netstat -p esp     
esp:
        0 input ESP packets
        226 output ESP packets
        0 packets from unsupported protocol families
        0 packets shorter than header shows
        0 packets dropped due to policy
        0 packets for which no TDB was found
        0 input packets that failed to be processed
        0 packets with bad encryption received
        0 packets that failed verification received
        0 packets for which no XFORM was set in TDB received
        0 packets were dropped due to full output queue
        0 packets where counter wrapping was detected
        0 possibly replayed packets received
        0 packets with bad payload size or padding received
        0 packets attempted to use an invalid TDB
        0 packets got larger than max IP packet size
        0 packets that failed crypto processing
        0 input bytes
        18984 output bytes



>From peer behind PTMU enabled router:
netstat -p esp
esp:
        4440 input ESP packets
        9219 output ESP packets
        0 packets from unsupported protocol families
        0 packets shorter than header shows
        0 packets dropped due to policy
        0 packets for which no TDB was found
        0 input packets that failed to be processed
        0 packets with bad encryption received
        0 packets that failed verification received
        0 packets for which no XFORM was set in TDB received
        0 packets were dropped due to full output queue
        0 packets where counter wrapping was detected
        0 possibly replayed packets received
        0 packets with bad payload size or padding received
        0 packets attempted to use an invalid TDB
        0 packets got larger than max IP packet size
        0 packets that failed crypto processing
        223632 input bytes
        4971407 output bytes




-----Original Message-----
From: Hakan Olsson [mailto:ho@rfc.se]
Sent: Monday, September 08, 2003 10:18 AM
To: Todd Boyer
Cc: 'misc@openbsd.org'
Subject: Re: isakmpd and icmp dependencies


On Mon, 8 Sep 2003, Todd Boyer wrote:

> How dependant is isakmpd on being able to echo icmp responses from peers?

isakmpd (i.e the IKE protocol) uses UDP port 500, only. No ICMP.
IPsec uses IP protocol 50 or 51, no ICMP there either.

That said, you can get ICMP responses for various reasons due to these
packets, as always with IP. Any such responses will most likely be ignored
-- there's not much you can do about them, protocolwise. :)

For workarounds, see Cedric Berger's answer about PMTU etc.

/H

Follow-Ups:
- Re: isakmpd and icmp dependencies
  - From: Hakan Olsson <ho@rfc.se>
- Re: isakmpd and icmp dependencies
  - From: Cedric Berger <cedric@berger.to>

Prev by Date: Re: hello again I do not know what to do.
Next by Date: Re: OpenBSD 3.4 hanged up after the installation
Prev by thread: Re: isakmpd and icmp dependencies
Next by thread: Re: isakmpd and icmp dependencies
Index(es):
- Date
- Thread