LAN_A----FWA-----Internet----FWB----LAN_B
Both FWA and FWB are being managed by its different Provider-1.
Provider-1 on FWA is NG with AI R55w while Provider-1 on FWB
is NGx R61 with HFA_01 (bleeding edge)
scenario #1:
FWA = Nokia IP380 with NG AI R55w HFA_04 on IPSO 3.7.1 build 025
FWB = Nokia IP380 with NGx R61 HFA_01 on IPSO 4.1 build 019
Behind LAN_A and LAN_B are Microsoft, Solaris 9 and RedHat Linux
machines. The application in question is ftp and secure copy (scp).
I have a site-2-site VPN between LAN_A and LAN_B. The vpn is
up and just fine. However, I am getting ESP fragmentation
issue. This is what I am getting on the tcpdump:
4.2.2.2 is the external interface of FWA
129.174.1.8 is the external interface of FWB (NGx R61 firewall)
02:48:37.378940 O 129.174.1.8 > 4.2.2.2: ESP(spi=f7459262,seq=0x182) (frag
40938:-64056@0+) [tos 0x8]
02:48:37.378948 O 129.174.1.8 > 4.2.2.2: (frag 40938:60@1480) [tos 0x8]
02:48:37.379289 O 129.174.1.8 > 4.2.2.2: ESP(spi=f7459262,seq=0x183) (frag
40939:-64056@0+) [tos 0x8]
02:48:37.379298 O 129.174.1.8 > 4.2.2.2: (frag 40939:60@1480) [tos 0x8]
02:48:37.387384 I 4.2.2.2 > 129.174.1.8: ESP(spi=5d9bb4c9,seq=0xf2)
02:48:37.388251 O 129.174.1.8 > 4.2.2.2: ESP(spi=f7459262,seq=0x184) (frag
40940:-64056@0+) [tos 0x8]
02:48:37.388258 O 129.174.1.8 > 4.2.2.2: (frag 40940:60@1480) [tos 0x8]
02:48:37.388570 O 129.174.1.8 > 4.2.2.2: ESP(spi=f7459262,seq=0x185) (frag
40941:-64056@0+) [tos 0x8]
02:48:37.388578 O 129.174.1.8 > 4.2.2.2: (frag 40941:60@1480) [tos 0x8]
02:48:37.394837 I 4.2.2.2 > 129.174.1.8: ESP(spi=5d9bb4c9,seq=0xf3)
02:48:37.395677 O 129.174.1.8 > 4.2.2.2: ESP(spi=f7459262,seq=0x186) (frag
40942:-64056@0+) [tos 0x8]
02:48:37.395683 O 129.174.1.8 > 4.2.2.2: (frag 40942:60@1480) [tos 0x8]
02:48:37.396022 O 129.174.1.8 > 4.2.2.2: ESP(spi=f7459262,seq=0x187) (frag
40943:-64056@0+) [tos 0x8]
02:48:37.396030 O 129.174.1.8 > 4.2.2.2: (frag 40943:60@1480) [tos 0x8]
I went ahead and changed the parameter "ipsec_dont_fragment" on
AI R55w firewall from "false" to "true" and "fw_clamp_tcp_mss"
to "false". These values on the NGx R61 box is set to
"true" and "fase", by default, respectively. However,
I am still getting ESP fragmentation. By the way, I did
push the policy after making these changes but it does not
work.
Now if I change the MTU on one of the hosts from 1500 to 1400, then
I don't have the ESP fragmentation but that is not a scalable
solution because I have lot of hosts behind the firewall.
Another method is to modify the MTU on the Nokia itself. That
solves the problem but this solution is not supported by Nokia
and it breaks other application in the process.
scenario #2:
FWA = Nokia IP380 with NGx R61 HFA_01 on IPSO 4.1 build 019
FWB = Nokia IP380 with NGx R61 HFA_01 on IPSO 4.1 build 019
Behind LAN_A and LAN_B are Microsoft, Solaris 9 and RedHat Linux
machines. The application in question is ftp and secure copy (scp).
FWA is being managed by Provider-1 NGx R61 residing on LAN_A
FWB is being managed by Provider-1 NGx R61 residing on LAN_B
In this scenario, I still get ESP fragmentation. Changing
the MTU on the host to 1400 or on the Nokia fix the problem
but this solution is neither scalable nor supported by Nokia.
scenario #3:
FWA = Nokia IP380 with NG Feature Pack 3 HFA_327 on IPSO 3.7.1 build 25
FWB = Nokia IP380 with NGx R61 HFA_01 on IPSO 4.1 build 019
Behind LAN_A and LAN_B are Microsoft, Solaris 9 and RedHat Linux
machines. The application in question is ftp and secure copy (scp).
FWA is being managed by Provider-1 NG FP3 w/ HFA_327 on LAN_A
FWB is being managed by Provider-1 NGx R61 residing on LAN_B
In this scenario, I still get ESP fragmentation. Changing
the MTU on the host to 1400 or on the Nokia fix the problem
but this solution is neither scalable nor supported by Nokia.
By the way, I also modified the "ipsec_dont_fragment" and
"fw_clamp_tcp_mss" parameters but it did not fix the issue.
scenario #4:
FWA = Cisco Pix Firewall running version 6.3(5) or 7.2(1)
FWB = Nokia IP380 with NGx R61 HFA_01 on IPSO 4.1 build 019
Behind LAN_A and LAN_B are Microsoft, Solaris 9 and RedHat Linux
machines. The application in question is ftp and secure copy (scp).
I HAVE NO ESP FRAGMENTATION IN THIS SCENARIO. Both the MTU
on the host and the Pix firewall is set to 1500, default value.
scenario #4:
FWA = Cisco IOS Router with Firewall Feature set 12.2(15)T17
FWB = Nokia IP380 with NGx R61 HFA_01 on IPSO 4.1 build 019
Behind LAN_A and LAN_B are Microsoft, Solaris 9 and RedHat Linux
machines. The application in question is ftp and secure copy (scp).
I HAVE NO ESP FRAGMENTATION IN THIS SCENARIO. Both the MTU
on the host and the router is set to 1500, default value.
-------------------------
We are in the process of rolling NGx R61 and I am responsible
for testing the VPN portion of it. Based on this testing,
I've concluded that NGx R61 (FWB) is fragmenting my ESP
traffics and I would like to have a fix for it. If anyone
is interested in discussing more about it, let me know
'cause I am under a deadline in rolling this beast. Thanks.
cisco4ng
---------------------------------
Everyone is raving about the all-new Yahoo! Mail beta.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
