Re: [FW-1] Fragemnting packets after IPSEC....

Subject:	Re: [FW-1] Fragemnting packets after IPSEC....
From:	"Cihan Subasi (Garanti Teknoloji)" <CihanS AT GARANTI.COM DOT TR>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Thu, 27 Oct 2005 17:37:18 +0300

I would like that firewall when sess a packet which will be fragmented after 
the IPSEC encaps. Sends back to the client that the client should lower the 
MTU. Can FW-1 do that..

İt rejects the packet that will be fragmented and informs the clients (or ipso 
can do it dont know? 

-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT 
AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Esteban Serrano Alvarez
Sent: Thursday, October 27, 2005 3:49 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Fragemnting packets after IPSEC....

Hi.

When this kind of problem is detected, TCP implementation should send an ICMP 
"Needed to fragment" packet in order to use a lower MTU - 1366 is a typical 
value. 

In some cases, if you are using NAT, it is possible that the ICPM Needed To 
Fragment packet would not reach its destination. Then, you may select a lower 
value of MTU on your clients if its possible.

Esteban Serrano

-----Mensaje original-----
De: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT 
AMADEUS.US.CHECKPOINT DOT COM] En nombre de Cihan Subasi (Garanti Teknoloji) 
[CihanS AT GARANTI.COM DOT TR] Enviado el: jueves, 27 de octubre de 2005 9:43
Para: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Asunto: [FW-1] Fragemnting packets after IPSEC....

We have discovered that when client sends full IP packet and firewall fragments 
this packets due to the fact that packet size increases after the ipsec 
encapsulation. We want that clients knows that (with the help of the
firewall) and firewall rejects the packet before encapsulating into the ipsec 
and clients resends this packet with a smaller size so it fits in one ipsec 
packets.
 
This fragmentatrion causes if one fragment is lost and firewall request the 
whole packets back and also fragmentation and reassembiling eats from the CPU. 
Is there a way to do what we want...so that the client knows exactly how big 
the ip packet should and firewall do not need to fragment it...
 
I am not sure whether I explaned the problem correctly but if you require any 
moer info I am ready to provide. Thanks
 

***********************************************************
Cihan SUBASI
Garanti Technology
Internet ve Yazilim Hizmetleri
Tel:(90)(212)4783426 GSM:(90)(533)(2750353) Fax:(90)(212)6576150 
http://www.garantitechnology.com <http://www.garantitechnology.com/>
mailto:cihans AT garanti.com DOT tr
Success is a wonderful thing, but never underestimate the value of failure.
Failure teaches many more things than success ever can. 
*********************************************************** 

 

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to LISTSERV AT 
amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email 
fw-1-owner AT ts.checkpoint DOT com 
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to LISTSERV AT 
amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email 
fw-1-owner AT ts.checkpoint DOT com 
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Fragemnting packets after IPSEC...., Cihan Subasi (Garanti Teknoloji) Re: [FW-1] Fragemnting packets after IPSEC...., Esteban Serrano Alvarez Re: [FW-1] Fragemnting packets after IPSEC...., Cihan Subasi (Garanti Teknoloji) <=

Previous by Date:	Re: [FW-1] Cluster using wrong IP address, Tom Brown
Next by Date:	Re: [FW-1] Nokia Voyager Password, Jameel Akari
Previous by Thread:	Re: [FW-1] Fragemnting packets after IPSEC...., Esteban Serrano Alvarez
Next by Thread:	[FW-1] Rule base problem, Perruccio, Vincenza
Indexes:	[Date] [Thread] [Top] [All Lists]