Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: vpnc: devel

MTU detection in vpnc-script

  

 
vpnc devel RSS feed   Index | Next | Previous | View Threaded


smart at sbox

Sep 4, 2009, 5:27 AM

Post #1 of 8 (3374 views)
Permalink
MTU detection in vpnc-script
Hello,

The MTU detection and setting in the vpnc-script is done as follows:

if [ -n "$INTERNAL_IP4_MTU" ]; then
MTU=$INTERNAL_IP4_MTU
elif [ -n "$IPROUTE" ]; then
DEV=$($IPROUTE route | grep ^default | sed 's/^.* dev \([[:alnum:]-]\+\).*$/\1/')
MTU=$(($($IPROUTE link show "$DEV" | grep mtu | sed 's/^.* mtu \([[:digit:]]\+\).*$/\1/') - 88))
else
MTU=1412
fi

Maybe the part in the "elif" section could be a problem. If there is no
default route set before, DEV becomes an empty string and subsequently
the MTU calculation with the - 88 fails. The MTU remains unchanged then
and is not even set to the fallback 1412.
This can produce problems indicated by "esp sendto: Message too long"
messages.
If I'm not wrong than maybe it would help to detect the device in another way
in that case (maybe the device that routes to the IPSec gateway) or at least
apply the fallback.

Kind regards,
Martin Schickbichler
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


smart at sbox

Sep 4, 2009, 5:27 AM

Post #2 of 8 (3295 views)
Permalink
MTU detection in vpnc-script [In reply to]
Hello,

The MTU detection and setting in the vpnc-script is done as follows:

if [ -n "$INTERNAL_IP4_MTU" ]; then
MTU=$INTERNAL_IP4_MTU
elif [ -n "$IPROUTE" ]; then
DEV=$($IPROUTE route | grep ^default | sed 's/^.* dev \([[:alnum:]-]\+\).*$/\1/')
MTU=$(($($IPROUTE link show "$DEV" | grep mtu | sed 's/^.* mtu \([[:digit:]]\+\).*$/\1/') - 88))
else
MTU=1412
fi

Maybe the part in the "elif" section could be a problem. If there is no
default route set before, DEV becomes an empty string and subsequently
the MTU calculation with the - 88 fails. The MTU remains unchanged then
and is not even set to the fallback 1412.
This can produce problems indicated by "esp sendto: Message too long"
messages.
If I'm not wrong than maybe it would help to detect the device in another way
in that case (maybe the device that routes to the IPSec gateway) or at least
apply the fallback.

Kind regards,
Martin Schickbichler
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


smart at sbox

Sep 10, 2009, 1:09 AM

Post #3 of 8 (3274 views)
Permalink
MTU detection in vpnc-script [In reply to]
Hello,

The MTU detection and setting in the vpnc-script is done as follows:

if [ -n "$INTERNAL_IP4_MTU" ]; then
MTU=$INTERNAL_IP4_MTU
elif [ -n "$IPROUTE" ]; then
DEV=$($IPROUTE route | grep ^default | sed 's/^.* dev \([[:alnum:]-]\+\).*$/\1/')
MTU=$(($($IPROUTE link show "$DEV" | grep mtu | sed 's/^.* mtu \([[:digit:]]\+\).*$/\1/') - 88))
else
MTU=1412
fi

Maybe the part in the "elif" section could be a problem. If there is no
default route set before, DEV becomes an empty string and subsequently
the MTU calculation with the - 88 fails. The MTU remains unchanged then
and is not even set to the fallback 1412.
This can produce problems indicated by "esp sendto: Message too long"
messages.
If I'm not wrong than maybe it would help to detect the device in another way
in that case (maybe the device that routes to the IPSec gateway) or at least
apply the fallback.

Kind regards,
Martin Schickbichler

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


Tim at rikers

Sep 10, 2009, 1:33 AM

Post #4 of 8 (3280 views)
Permalink
Re: MTU detection in vpnc-script [In reply to]
This will probably also not deal with there being multiple default routes.

Martin Schickbichler wrote:
> Hello,
>
> The MTU detection and setting in the vpnc-script is done as follows:
>
> if [ -n "$INTERNAL_IP4_MTU" ]; then
> MTU=$INTERNAL_IP4_MTU
> elif [ -n "$IPROUTE" ]; then
> DEV=$($IPROUTE route | grep ^default | sed 's/^.* dev \([[:alnum:]-]\+\).*$/\1/')
> MTU=$(($($IPROUTE link show "$DEV" | grep mtu | sed 's/^.* mtu \([[:digit:]]\+\).*$/\1/') - 88))
> else
> MTU=1412
> fi
>
> Maybe the part in the "elif" section could be a problem. If there is no
> default route set before, DEV becomes an empty string and subsequently
> the MTU calculation with the - 88 fails. The MTU remains unchanged then
> and is not even set to the fallback 1412.
> This can produce problems indicated by "esp sendto: Message too long"
> messages.
> If I'm not wrong than maybe it would help to detect the device in another way
> in that case (maybe the device that routes to the IPSec gateway) or at least
> apply the fallback.
>
> Kind regards,
> Martin Schickbichler

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


shiva at sewingwitch

Feb 23, 2010, 1:52 PM

Post #5 of 8 (2826 views)
Permalink
Re: MTU detection in vpnc-script [In reply to]
--On Thursday, September 10, 2009 3:33 AM -0600 Tim Riker <Tim [at] rikers>
wrote:

> This will probably also not deal with there being multiple default routes.

I've recently run into this, and indeed multiple default routes cause no
MTU to be set, which results in lots of dropped packets. (The actual
symptoms were intermittent dropped mail messages going to the peer's mail
server.)

It looks like the most recent version of the script has the same code:

<http://svn.unix-ag.uni-kl.de/vpnc/trunk/vpnc-script.in>

Adding a "head -1" to the line starting with "DEV=" should address multiple
default routes, but doesn't address having no default route.


_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


dwmw2 at infradead

Feb 23, 2010, 2:11 PM

Post #6 of 8 (2822 views)
Permalink
Re: MTU detection in vpnc-script [In reply to]
On Tue, 2010-02-23 at 13:52 -0800, Kenneth Porter wrote:
> --On Thursday, September 10, 2009 3:33 AM -0600 Tim Riker <Tim [at] rikers>
> wrote:
>
> > This will probably also not deal with there being multiple default routes.
>
> I've recently run into this, and indeed multiple default routes cause no
> MTU to be set, which results in lots of dropped packets. (The actual
> symptoms were intermittent dropped mail messages going to the peer's mail
> server.)

Was this not fixed by the commit at
http://git.infradead.org/users/dwmw2/vpnc-scripts.git/commitdiff/179943a2 ?

--
David Woodhouse Open Source Technology Centre
David.Woodhouse [at] intel Intel Corporation

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


shiva at sewingwitch

Mar 15, 2010, 3:12 PM

Post #7 of 8 (2725 views)
Permalink
Re: MTU detection in vpnc-script [In reply to]
--On Tuesday, February 23, 2010 10:11 PM +0000 David Woodhouse
<dwmw2 [at] infradead> wrote:

> Was this not fixed by the commit at
> http://git.infradead.org/users/dwmw2/vpnc-scripts.git/commitdiff/179943a2
> ?

Sorry, I hadn't realized the script was being maintained separately. I just
looked at the Subversion repo on the vpnc page.


_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


dwmw2 at infradead

Mar 15, 2010, 3:32 PM

Post #8 of 8 (2719 views)
Permalink
Re: MTU detection in vpnc-script [In reply to]
On Mon, 2010-03-15 at 15:12 -0700, Kenneth Porter wrote:
> --On Tuesday, February 23, 2010 10:11 PM +0000 David Woodhouse
> <dwmw2 [at] infradead> wrote:
>
> > Was this not fixed by the commit at
> > http://git.infradead.org/users/dwmw2/vpnc-scripts.git/commitdiff/179943a2
> > ?
>
> Sorry, I hadn't realized the script was being maintained separately. I just
> looked at the Subversion repo on the vpnc page.

Yeah, the script is used by both vpnc and openconnect and it needed some
love (the fix mentioned above, some OS portability stuff, IPv6 support,
etc.)

That repository also has an alternative script which uses network
namespaces to give you just a SOCKS proxy into the VPN without screwing
with your 'normal' Legacy IP routing at all.

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

vpnc devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.