OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Walter Heukels (walterrotterdam.prutsclub.nl)
Date: Mon Jun 03 2002 - 20:06:02 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi all,

    I've got a server running OpenBSD 3.1 on which I've set up a PPTP
    connection with my ADSL modem (Alcatel SpeedTouch), using pptp-1.0.2 from
    the ports collection. This works fine, except that I noticed that
    interactive sessions sometimes seem to get stuck for a moment, and when
    pinging nearby systems the response time rises dramatically when the
    packet size (as in the -s option to ping) goes to about 850... it's
    impossible to tell exactly, because the behaviour is not very consistent;
    sometimes I get more or less constant 1000ms response times, sometimes
    50ms and 1000ms alternate, and sometimes it seems more random.

    I figured this had something to do with fragmentation, and after a bit of
    fiddling I came up with adding 'mtu 800' to /etc/ppp/options, which makes
    everything work smootly, except that it messes up my VPN connection.

    I have an IPSEC tunnel to a Draytek Vigor 2200E router, which now works
    fine for packet sizes up to exactly 722 bytes. Any larger than tha, the
    packets seem to vanish into thin air.

    A successful ping to the router looks like this on enc0:

    [rooteithne ~]# tcpdump -v -v -v -n -i enc0
    tcpdump: WARNING: enc0: no IPv4 address assigned
    tcpdump: listening on enc0
    02:57:59.130055 (authentic,confidential): SPI 0x03010084: 213.84.45.68 >
    213.84.23.113: 10.1.1.1 > 10.1.201.1: icmp: echo request (id:17658 seq:0)
    (ttl 255, id 40838) (ttl 64, id 57748, bad cksum 0!)
    02:57:59.175461 (authentic,confidential): SPI 0x7e1bd05c: 213.84.45.68 >
    80.126.21.8: 10.1.201.1 > 10.1.1.1: icmp: echo reply (id:17658 seq:0) (ttl
    255, id 159) (ttl 123, id 0)

    This is what happens if I ping the router using ping -c 3 -s 2500 -I
    10.1.1.1 10.1.201.1:

    [rooteithne ~]# tcpdump -v -v -v -n -i enc0
    tcpdump: WARNING: enc0: no IPv4 address assigned
    tcpdump: listening on enc0
    02:53:11.407890 (authentic,confidential): SPI 0x03010084: 213.84.45.68 >
    213.84.23.113: 10.1.1.1 > 10.1.201.1: icmp: echo request (id:26222 seq:0)
    (ttl 255, id 24252) (ttl 64, id 32675, bad cksum 0!)
    02:53:12.413049 (authentic,confidential): SPI 0x03010084: 213.84.45.68 >
    213.84.23.113: 10.1.1.1 > 10.1.201.1: icmp: echo request (id:26222
    seq:256) (ttl 255, id 1395) (ttl 64, id 10140, bad cksum 0!)
    02:53:13.423063 (authentic,confidential): SPI 0x03010084: 213.84.45.68 >
    213.84.23.113: 10.1.1.1 > 10.1.201.1: icmp: echo request (id:26222
    seq:512) (ttl 255, id 17831) (ttl 64, id 3616, bad cksum 0!)

    It's the "bad cksum" I'm particularly worried about.

    I've found a few other cases of people who have had similar symptoms, but
    they all turned out to be not applicable in my case (bugs in old
    OpenBSD versions, firewalls dropping fragments.)

    If anyone could shed any light on this, I'd be extremely grateful. 

    -- 
Walter