Problem s VPN tunely - zrejme fragmentace

Radek Krejca radek at ceskedomeny.cz
Sat Nov 14 17:56:31 CET 2009


Ahoj,

DL> Jen na okraj - zrovna tenhle problem je celkem snadno
DL> diagnostikovatelny. To se pusti tcpdump, nejprve na vstupnim interface,
DL> pak n atunelovem interface a pak na vychozim interface a clovek hned vi
DL> kudy paket sel pripadne nesel.

To jsem zkoumal, nicmene je pravda, ze ne dostatecne. Takze jelikoz
prave nemam pristup k pc, kde mam nainstalovany inkriminovany vpn
tunel, tak zde simulace na pingu. Sit je nasledujici:

10.0.0.1 - muj router - muj pocitac

Vystupni (interface blize 10.0.0.1) interface na muj router pres
tcpdump pri pouziti prikazu ping -l 1500 10.0.0.1 na muj pocitace
(mam ted k dispozici pouze win).

17:39:50.649012 IP 192.168.2.104 > 10.0.0.1: ICMP echo request, id 768, seq 12800, length 1480
17:39:50.649014 IP 192.168.2.104 > 10.0.0.1: icmp
17:39:56.149009 IP 192.168.2.104 > 10.0.0.1: ICMP echo request, id 768, seq 13056, length 1480
17:39:56.149011 IP 192.168.2.104 > 10.0.0.1: icmp

Dale vstupni interface (blize memu pocitaci) s tim samym prikazem:
17:46:45.149502 IP 192.168.2.104 > 10.0.0.1: ICMP echo request, id 768, seq 17408, length 1480
17:46:45.149516 IP 192.168.2.104 > 10.0.0.1: icmp

Bez pouziti velikosti funguje vse, jak ma. Nejvyssi velikost, ktera
mi projde je 1472 byte.

Pokud z muj router pingam na obe strany tak bez problemu (tam mam
fbsd):
ping -s 15000 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 15000 data bytes
15008 bytes from 10.0.0.1: icmp_seq=0 ttl=63 time=0.635 ms


DL> Informate pro overeni/doplneni by mel pak dodat

DL> netstat -s -p ip

ip:
        2480402489 total packets received
        672013 bad header checksums
        0 with size smaller than minimum
        300 with data size < data length
        0 with ip length > max ip packet size
        0 with header length < data size
        0 with data length < header length
        0 with bad options
        770 with incorrect version number
        0 fragments received
        0 fragments dropped (dup or out of space)
        0 fragments dropped after timeout
        0 packets reassembled ok
        708671754 packets for this host
        583855 packets for unknown/unsupported protocol
        1382107247 packets forwarded (77462627 packets fast forwarded)
        1111048 packets not forwardable
        15600976 packets received for unknown multicast group
        0 redirects sent
        599720045 packets sent from this host
        23 packets sent with fabricated ip header
        1575 output packets dropped due to no bufs, etc.
        12 output packets discarded due to no route
        10380325 output datagrams fragmented
        39989831 fragments created
        20 datagrams that can't be fragmented
        0 tunneling packets that can't find gif
        125 datagrams with bad address in header
-- 
S pozdravem,
 Radek Krejca
 STARNET, s. r. o.
 radek at ceskedomeny.cz





More information about the Users-l mailing list