[c-nsp] IPSEC + TFTP don't work

Victor Sudakov vas at mpeks.tomsk.su
Thu Apr 5 09:32:26 EDT 2012


Colleagues,

As soon as I configure IPSec between 2 routers, PXE booting via those
routers no longer works. NIC bootroms obtain an IP address but cannot
fetch the bootfile via TFTP.

A tcpdump on the TFTP server shows a successful TFTP option
negotiation, but when it starts sending big data packets (1478 bytes
on wire), the client does not seem to receive them and eventually
times out.

If I remove the crypto map to allow the client hosts to boot, and then
reapply the crypto map, everything (DNS, RDP sessions, telnet) works
fine via this IPSec tunnel.  The UNIX tftp client works too which is
weird.

The network diagram is simple:
FreeBSD TFTP server -> c2691 -> IPSec tunnel mode -> c1841 -> PXE client.

I feel that the issue may be in IP fragmentation of some sort which the
dumb PXE TCP/IP stack cannot handle, but a google search did not help.
At least neither an Intel NIC, nor a Realtek NIC nor a GPXE emulation
work.

Is this some known issue? Thanks in advance for any input.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru


More information about the cisco-nsp mailing list