[c-nsp] IPSEC + TFTP don't work

Randy randy_94108 at yahoo.com
Thu Apr 5 23:08:04 EDT 2012



--- On Thu, 4/5/12, Victor Sudakov <vas at mpeks.tomsk.su> wrote:

> From: Victor Sudakov <vas at mpeks.tomsk.su>
> Subject: Re: [c-nsp] IPSEC + TFTP don't work
> To: cisco-nsp at puck.nether.net
> Date: Thursday, April 5, 2012, 7:45 PM
> Robert E. Seastrom wrote:
> > 
> > > I feel that the issue may be in IP fragmentation
> of some sort which the
> > > dumb PXE TCP/IP stack cannot handle, but a google
> search did not help.
> > > At least neither an Intel NIC, nor a Realtek NIC
> nor a GPXE emulation
> > > work.
> > 
> > I'm pretty sure you're on the right track.
> > 
> > Try setting the MTU on the ethernet on the TFTP server
> to 1400 or so
> > rather than 1500.  That oughta fix the problem,
> assuming that the tftp
> > server software is sanely written.  If it were TCP
> (tftpboot is of
> > course udp) that would DTRT.
> 
> Actually I have tried something like 
> 
> route add -net $protected_net -mtu 1300 $ipsec_gateway
> 
> on the TFTP server and it did not help. I think the TFTP
> server just
> sends its packets as requested by the client and does not
> care if the
> MTU is small.
> 
> -- 
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> sip:sudakov at sibptus.tomsk.ru


What you tried, wouldn't work because TFTP is UDP and the mtu size is decided by application in question; unlike TCP.

Instead of mucking with individual-interface mtu sizes on you server, How about you do the following:

1) account for the encap(if any, like GRE) and ipsec overhead and drop you ip mtu size to a value that works.
2) Ensure icmp type-3 code-4 messages are allowed between router and backend server-on-lan.

hth,
./Randy





More information about the cisco-nsp mailing list