[c-nsp] IPSEC + TFTP don't work
Victor Sudakov
vas at mpeks.tomsk.su
Fri Apr 6 00:53:44 EDT 2012
Randy wrote:
> > >
> > > Try setting the MTU on the ethernet on the TFTP server to 1400 or so
> > > rather than 1500. That oughta fix the problem, assuming that the tftp
> > > server software is sanely written. If it were TCP (tftpboot is of
> > > course udp) that would DTRT.
> >
> > Actually I have tried something like
> >
> > route add -net $protected_net -mtu 1300 $ipsec_gateway
> >
> > on the TFTP server and it did not help. I think the TFTP
> > server just
> > sends its packets as requested by the client and does not
> > care if the
> > MTU is small.
>
>
> What you tried, wouldn't work because TFTP is UDP and the mtu size
> is decided by application in question; unlike TCP.
Therefore I thought that the above advice ("try setting the MTU on the
ethernet") would not work either.
>
> Instead of mucking with individual-interface mtu sizes on you server, How about you do the following:
>
> 1) account for the encap(if any, like GRE) and ipsec overhead and
> drop you ip mtu size to a value that works.
Could you please be more specific. Where do I drop the ip mtu size? If
the TFTP server has already sent a large packet, what do I do about
it?
> 2) Ensure icmp type-3 code-4 messages are allowed between router and
> backend server-on-lan.
Any traffic is allowed, it's a lab test so far.
BTW I have found out two things:
1. The TFTP traffic indeed does arrive fragmented to the NIC, see
http://zalil.ru/33025296
2. I have found a NIC which can handle fragmentation and does work in
this setup. It's a Broadcom BCM5709C NetXtreme II GigE, perhaps it has
an advanced IP stack.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the cisco-nsp
mailing list