Sunday, May 22, 2011

Troubleshooting IPsec VPNs




 Because IPsec is a combination of multiple protocols, it is important to have a very strong understanding of how these protocols work together to troubleshoot IPsec. A thorough understanding of ISAKMP is also very useful in identifying negotiation problems in IPsec. This section looks at some of the tools available to troubleshoot IPsec, as well as some of the common issues surrounding its implementation.

IPsec's Order of Events

IPsec's order of events is important to know because IPsec interacts with a wide variety of protocols running on a router. Because IPsec adds an additional header on top of the original header with a changed IP address in the case of ESP tunnel mode, it is important to understand how the various other routines affect this new header. Tablebelow outlines the sequence of events. "Inside" is generally the private network behind the router, and "outside" is the network on the public side of the router.
Table. Order in Which Various Operations Are Performed for Packets Passing Through a Router
Inside to Outside
Outside to Inside
  1. If IPsec, check input access list
  2. Decryption for CET or IPsec
  3. Check input access list
  4. Check input rate limits
  5. Input accounting
  6. Inspect
  7. Policy routing
  8. Routing
  9. Redirect to web cache
  10. NAT inside to outside (local-to-global translation)
  11. Crypto (check map and mark for encryption)
  12. Check output access list
  13. Inspect
  14. TCP intercept
  15. Encryption for CET or IPsec
  1. If IPsec, check input access list
  2. Decryption for CET or IPsec
  3. Check input access list
  4. Check input rate limits
  5. Input accounting
  6. Inspect
  7. NAT outside to inside (global-to-local translation)
  8. Policy routing
  9. Routing
  10. Redirect to web cache
  11. Crypto (check map and mark for encryption)
  12. Check output access list
  13. Inspect
  14. TCP intercept
  15. Encryption for CET or IPsec


It is interesting to note that for IPsec traffic, the incoming access list is processed twice-once before decryption and once after decryption. Therefore, not only does ESP traffic need to be allowed through the incoming access list, but a hole needs to be opened for the subnets that are considered interesting traffic for IPsec and are being tunneled. However, because the router drops any packets arriving on its outside interface that match the IPsec interesting traffic access list and are not IPsec-encapsulated, the risk of an attacker's using this hole to gain access to the network behind the router is minimized.

IPsec Debugs

IPsec debug messages are a very important source for understanding any issues that might creep into the implementation of IPsec VPNs. The three most commonly useddebug commands to troubleshoot IPsec are
  • debug crypto isakmp
  • debug crypto ipsec
  • debug crypto engine
The first two debug commands are valid for the PIX Firewall as well. PIX has similar debugs as the ones shown for a router.
Example below shows the configuration of the router on one end of the IPsec tunnel. The router on the other end has a corresponding configuration . This configuration is used to generate the debugs shown here.
Example . IPsec Configuration on a Router Used to Generate Sample Debugs
Router#write terminal



crypto isakmp policy 1

 encr 3des

 authentication pre-share

crypto isakmp key jw4ep9846804ijl address 172.16.172.20

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map vpn 10 ipsec-isakmp

 set peer 172.16.172.20

 set transform-set myset

 match address 101



interface Ethernet0/0

 ip address 10.1.1.1 255.255.255.0

!

interface Ethernet1/0

 ip address 172.16.172.10 255.255.255.240

 crypto map vpn

!



access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255


Example below shows the debug messages generated by turning on the three debugs just mentioned.
NOTE
In the sample debugs shown in Example below, the explanation of the debug is followed by the actual debugs for that explanation.

Example . IPsec Debugs Generated by Issuing the Commands debug crypto isakmpdebug crypto ipsec, and debug crypto engine
Router#debug crypto ISAKMP

Router#debug crypto engine

Router#debug crypto ipsec



!Ping source and destination addresses matched the address access list for the

!crypto map VPN



   00:04:10: IPSEC(sa_request): ,

   (key eng. msg.) OUTBOUND local= 172.16.172.10, remote= 172.16.172.20,

   local_proxy = 10.1.1.0/255.255.255.0/0/0 (type=4),

   remote_proxy = 10.1.2.0/255.255.255.0/0/0 (type=4),



!The 'local' is the local tunnel endpoint, and the 'remote' is the remote crypto

!endpoint as configured in the map. The local proxy is the src interesting traffic

!as defined by the match address access list. The remote proxy is the destination

!interesting traffic as defined by the match address access list.



         protocol= ESP, transform= esp-3des esp-md5-hmac ,

    lifedur= 3600s and 4608000kb,

    spi= 0x4A10F22E(1242624558), conn_id= 0, keysize= 0, flags= 0x400C



!The protocol and the transforms are specified by the crypto map that has been

!hit, as are the lifetimes

!negotiate phase I SA parameters.



  ISAKMP: received ke message (1/1)

  ISAKMP: local port 500, remote port 500

  ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM Old State =

        IKE_READY  New State = IKE_I_MM1

  ISAKMP (0:1): beginning Main Mode exchange

  00:04:10: ISAKMP (0:1): sending packet to 172.16.172.20 (I) MM_NO_STATE

  00:04:10: ISAKMP (0:1): received packet from 172.16.172.20 (I) MM_NO_STATE

  00:04:10: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

  Old State = IKE_I_MM1  New State = IKE_I_MM2



00:04:10: ISAKMP (0:1): processing SA payload. message ID = 0

00:04:10: ISAKMP (0:1): found peer pre-shared key matching 172.16.172.20

00:04:10: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy

00:04:10: ISAKMP:      encryption 3DES-CBC

00:04:10: ISAKMP:      hash SHA

00:04:10: ISAKMP:      default group 1

00:04:10: ISAKMP:      auth pre-share

00:04:10: ISAKMP:      life type in seconds

00:04:10: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

00:04:10: ISAKMP (0:1): atts are acceptable. Next payload is 0

00:04:10: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Old State = IKE_I_MM2  New State = IKE_I_MM2



!Policy 1 on this router and the atts offered by the other side matched.

!The third and fourth packets complete the  Diffie-Hellman Exchange.



ISAKMP (0:1): sending packet to

172.16.172.20 (I) MM_SA_SETUP

ISAKMP (0:1): Input = IKE_MESG_INTERNAL,

  IKE_PROCESS_COMPLETE Old State = IKE_I_MM2  New State = IKE_I_MM3

ISAKMP (0:1): received packet from 172.16.172.20 (I) MM_SA_SETUP

ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Old State = IKE_I_MM3  New State = IKE_I_MM4



ISAKMP (0:1): processing KE payload. message ID = 0

ISAKMP (0:1): processing NONCE payload. message ID = 0

ISAKMP (0:1): found peer pre-shared key matching 172.16.172.20

ISAKMP (0:1): SKEYID state generated

ISAKMP (0:1): processing vendor id payload



!The fifth and sixth packets complete IKE authentication. Phase I SA established.



ISAKMP (0:1): SA is doing pre-shared key

authentication using id type ID_IPV4_ADDR

...

ISAKMP (0:1): sending packet to 172.16.172.20

(I) MM_KEY_EXCH

ISAKMP (0:1): Input = IKE_MESG_INTERNAL,

IKE_PROCESS_COMPLETEOld State = IKE_I_MM4  New State = IKE_I_MM5



ISAKMP (0:1): received packet from 172.16.172.20 (I) MM_KEY_EXCH

ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Old State = IKE_I_MM5  New State = IKE_I_MM6

ISAKMP (0:1): processing ID payload. message ID = 0

ISAKMP (0:1): processing HASH payload. message ID = 0

ISAKMP (0:1): SA has been authenticated with 172.16.172.20

ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE



!Begin Quick Mode exchange. IPsec SA is negotiated in QM.



ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 965273472

ISAKMP (0:1): sending packet to 172.16.172.20 (I) QM_IDLE

ISAKMP (0:1): Node 965273472, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Old State =

  IKE_QM_READY  New State = IKE_QM_I_QM1

ISAKMP (0:1): received packet from 172.16.172.20 (I) QM_IDLE



!The IPsec SA proposal offered by the far end is checked against the local crypto

!map configuration



ISAKMP (0:1): processing HASH payload. message ID = 965273472

ISAKMP (0:1): processing SA payload. message ID = 965273472



ISAKMP (0:1): Checking IPsec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP:   attributes in transform:

ISAKMP:      encaps is 1

ISAKMP:      SA life type in seconds

ISAKMP:      SA life duration (basic) of 3600

ISAKMP:      SA life type in kilobytes

ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

ISAKMP:      authenticator is HMAC-MD5

ISAKMP (0:1): atts are acceptable.

IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 172.16.172.10, remote= 172.16.172.20,

  local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),

  remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),

  protocol= ESP, transform= esp-3des esp-md5-hmac ,

  lifedur= 0s and 0kb,

  spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4



!Two IPsec SAs have been negotiated--an incoming SA with the SPI generated by the

!local machine and an outbound SA with the SPIs proposed by the remote end.





ISAKMP (0:1): Creating IPsec SAs

inbound SA from 172.16.172.20 to 172.16.172.10(proxy 10.1.2.0 to 10.1.1.0)

has spi 0x8EAB0B22 and conn_id 2029 and flags 4

 lifetime of 3600 seconds lifetime of 4608000 kilobytes

outbound SA from 172.16.172.10   to 172.16.172.20 (proxy 10.1.1.0 to 10.1.2.0)

has spi -343614331 and conn_id 2030 and flags C

  lifetime of 3600 seconds lifetime of 4608000 kilobytes



!The IPsec SA info negotiated by IKE will be populated into the router's SADB.



00:04:10: IPSEC(key_engine): got a queue event...

00:04:10: IPSEC(initialize_sas): ,

  (key eng. msg.) INBOUND local= 172.16.172.10, remote= 172.16.172.20,

  local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),

  remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),

  protocol= ESP, transform= esp-3des esp-md5-hmac ,

  lifedur= 3600s and 4608000kb,

  spi= 0x8EAB0B22(2393574178), conn_id= 2029, keysize= 0, flags= 0x4

00:04:10: IPSEC(initialize_sas): ,

  (key eng. msg.) OUTBOUND local= 172.16.172.10, remote= 172.16.172.20,

  local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),

  remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),

  protocol= ESP, transform= esp-3des esp-md5-hmac ,

  lifedur= 3600s and 4608000kb,

  spi= 0xEB84DC85(3951352965), conn_id= 2030, keysize= 0, flags= 0xC



!IPsec SA created in SADB, sent out last packet with commit bit set. IPsec

!tunnel established.

IPSEC(create_sa): sa created,

 (sa) sa_dest= 172.16.172.10,

  sa_prot= 50,

  sa_spi= 0x8EAB0B22(2393574178),

  sa_trans= esp-3des esp-md5-hmac ,

  sa_conn_id= 2029

IPSEC(create_sa): sa created,

  (sa) sa_dest= 172.16.172.20, sa_prot= 50, sa_spi= 0xEB84DC85(3951352965),

  sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2030

ISAKMP (0:1): sending packet to 172.16.172.20 (I) QM_IDLE

ISAKMP (0:1): Node 965273472, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE


IPsec show Commands

IPsec show commands are particularly useful in debugging IPsec. Having established basic connectivity, the network administrator can use show commands to see the issues related to the operation of IPsec on top of the basic network connectivity. Three show commands are most commonly used to view the status of an IPsec connection:
  • show crypto isakmp sa
  • show crypto ipsec sa
  • show crypto engine connection active
The show command output in Example below shows one ISAKMP SA and two IPsec SAs established. The packet count for each of the IPsec SAs, along with the negotiated parameters, are also shown.
Example . Sample Output for the show crypto engine connection active Command
Router#show crypto engine connection active

ID   Interface       IP-Address      State  Algorithm           Encrypt   Decrypt

 1   <none>          <none>          set    HMAC_SHA+3DES_56_C        0        0

!Shown above is the ISAKMP SA. It shows the hashing algorithm, SHA-HMAC, which is

!being used for authentication, as well as the encryption algorithm, 3DES, used to

!encrypt the IKE negotiation messages. The encrypt and decrypt counts are 0

!because the ISAKMP SA is not used to encrypt and decrypt data.

2029 Ethernet1/0     172.16.172.10   set    HMAC_MD5+3DES_56_C        0        4

2030 Ethernet1/0     172.16.172.10   set    HMAC_MD5+3DES_56_C        4        0

!Shown above are the two IPsec SAs. They show the hashing algorithm, SHA-HMAC,

!which is used for message integrity checking, as well as the encryption

!algorithm, 3DES, used to encrypt the ESP packets. The first SA is the incoming

!SA, because the packet count shows decrypts in it. The other one is the outgoing

!SA, showing only encrypts.


The show command in Example below shows the ISAKMP SA. It is in QM_IDLE state, meaning that quick mode has been successfully completed.
Example . Sample Output for the show crypto isakmp sa Command
Router#show crypto isakmp sa

dst             src             state           conn-id    slot

172.16.172.20   172.16.172.10   QM_IDLE               1       0


The ISAKMP SA can be in a number of states, depending on which state the negotiation is in. The following tables list these states. They are an excellent reference if you are trying to use show command output to find out the point at which a negotiation is. Table below shows the states displayed in the show crypto isakmp sa command when main mode is being negotiated. important.
Table . States Displayed in the show crypto isakmp sa Command When Main Mode Is Being Negotiated
State
Description
OAK_MM_NO_STATE
The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stage-there is no state.
OAK_MM_SA_SETUP
The peers have agreed on parameters for the ISAKMP SA.
OAK_MM_KEY_EXCH
The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The ISAKMP SA remains unauthenticated.
OAK_MM_KEY_AUTH
The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to OAK_QM_IDLE, and a quick mode exchange begins.



Table below shows the states displayed in the show crypto isakmp sa command when aggressive mode is being negotiated. 

Table . States Displayed in the show crypto isakmp sa Command When Aggressive Mode Is Being Negotiated
State
Description
OAK_AG_NO_STATE
The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stage-there is no state.
OAK_AG_INIT_EXCH
The peers have done the first exchange in aggressive mode, but the SA is not authenticated.
OAK_AG_AUTH
The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to OAK_QM_IDLE, and a quick mode exchange begins.







Table below shows the state displayed in the show crypto isakmp sa command when quick mode is being negotiated or has been negotiated. In general, the states shown in these tables are the most commonly seen states. Some other states might also be seen, but these shown here are by far the most 





Table . State Displayed in the show crypto isakmp sa Command When Quick Mode Is Being Negotiated or Has Been Negotiated
State
Description
OAK_QM_IDLE
The ISAKMP SA is idle. It remains authenticated with its peer and may be used for subsequent quick mode exchanges. It is in a quiescent state.


The show commands in Example below show the packets, counts, SPI, and various other parameters for both of the IPsec SAs in place between the two routers.
Example . Sample Output for the show crypto IPsec sa Command
Router#show crypto IPsec sa

interface: Ethernet1/0

    Crypto map tag: vpn, local addr. 172.16.172.10



   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)

   current_peer: 172.16.172.20

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4

    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 6, #recv errors 0



     local crypto endpt.: 172.16.172.10, remote crypto endpt.: 172.16.172.20

     path mtu 1500, media mtu 1500

     current outbound spi: EB84DC85





inbound esp sas:

      spi: 0x8EAB0B22(2393574178)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 2029, flow_id: 1, crypto map: vpn

        sa timing: remaining key lifetime (k/sec): (4607998/3347)

        IV size: 8 bytes

        replay detection support: Y



outbound esp sas:

      spi: 0xEB84DC85(3951352965)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 2030, flow_id: 2, crypto map: vpn

        sa timing: remaining key lifetime (k/sec): (4607999/3347)

        IV size: 8 bytes

        replay detection support: Y


Commonly Seen IPsec Problems and Resolutions

IPsec issues can arise from a wide variety of reasons. This section discusses some of the more common problems with setting up IPsec tunnels and their functioning.
Incompatible ISAKMP Policy or Preshared Key
It is important for the ISAKMP preshared key, if that is the method of authentication being used, to match on the two IPsec peers. If this doesn't happen, the tunnel won't come up. The failure occurs in phase one of ISAKMP.
Example below shows the debugs seen on a Cisco IOS router when the preshared keys do not match.
Example . Sample Debug Output Seen on a Cisco IOS Router When the Preshared Keys Configured on It and Its Peer Do Not Match
Router#debug crypto ISAKMP

Router#debug crypto engine

Router#debug crypto ipsec



ISAKMP: reserved no zero on payload 5!

%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 155.0.0.1   failed its

sanity check or is malformed


It is also important for at least one ISAKMP policy on the two peers to match. If this does not happen, phase 1 of ISAKMP fails.
Example below contains sample debugs seen on a router when ISAKMP policies fail to match.
Example . Sample Debug Output Seen on a Router When ISAKMP Policies Fail to Match
Router#debug crypto ISAKMP

Router#debug crypto engine

Router#debug crypto ipsec



ISAKMP (0:1): Encryption algorithm offered does not match policy!

ISAKMP (0:1): atts are not acceptable. Next payload is 0

ISAKMP (0:1): no offers accepted!

ISAKMP (0:1): phase 1 SA not acceptable!


Incorrect Access Lists for Interesting Traffic
For IPsec to work correctly, the access control lists on the two peers must define interesting traffic such that the two peers can agree that they want to encrypt the same traffic. In most cases, the access lists configured on the two peers are exact reflections of each other. However, it is permissible for the traffic specified by an access list defined on one peer to be a subset of the traffic specified by the access list configured on the other peer. In the case of VPN clients, dynamic crypto maps need to be used to get over the problem of the VPN clients coming from an unknown IP address.
Example below shows the debugs that appear on the routers when the access lists configured on two peers negotiating IPsec are neither the same nor the subsets of each other.
Example . Sample Debug Output When the Access Lists Configured on Two Peers Negotiating IPsec Are Not the Same or Are Subsets of Each Other
Router#debug crypto ISAKMP

Router#debug crypto engine

Router#debug crypto ipsec



3d00h: IPsec(validate_transform_proposal): proxy identities not supported

3d00h: ISAKMP (0:3): IPsec policy invalidated proposal

3d00h: ISAKMP (0:3): phase 2 SA not acceptable!


Crypto Map Is on the Wrong Interface
Generally, the crypto map needs to be applied to the outgoing interface of the router or the PIX. Not applying the map to the egress interface stops IPsec from kicking in at all, and no ISAKMP debugs are generated. The crypto map needs to be applied to tunnel interfaces as well if you are using GRE with IPsec. In general, if a logical interface is used in conjunction with a physical interface to pass IPsec traffic, the crypto map needs to be applied to both of them.
Routing Issues
Routing can play an important role in bringing up an IPsec tunnel successfully. Keep in mind the following points when examining routing issues in IPsec implementations:
  • A packet needs to be routed to the interface that has the crypto map configured on it before IPsec kicks in.
  • Routes need to be there not only for the router to reach its peer's address but also for the IP subnet addresses in the IP packets' heads after they have been decrypted.
  • Use the debug ip packet acl detailed command to see if the routing is occurring correctly.
Bypassing NAT
We have already discussed how NAT can be bypassed on a router for traffic that is to be encapsulated in an IPsec tunnel.
On the PIX Firewall, the nat (inside) 0 access-list command can be used to bypass NAT in a fashion similar to the routers.
Time Settings for Certificates
Digital certificates are issued for a time frame. They become invalid after that and are invalid before the time frame starts. The clock and calendar of the machine on which the certificates are installed are used to determine the certificates' validity. It is important to have the correct time and date configured on the router or the PIX using certificates so that they can function properly.
Firewall or Access List Is Blocking IPsec Negotiations or Traffic
A firewall in the middle of an IPsec tunnel must allow the following protocols to go through it for IPsec to function properly:
  • ESP and/or AH
  • UDP port 500
The IPsec router, if it has an access list configured on the egress interface, must have holes in that access list not only for these two protocols but also to accommodate the fact that the incoming access list is applied twice to the IPsec traffic. See the discussion at the start of this section for details.
IPsec MTU Issues
IPsec adds significant overhead to the original IP packet being encapsulated. Therefore, it is possible that the new encapsulated packet's size might be more than the MTU on certain segments over which the IPsec packets must pass. Normal Path MTU mechanisms using ICMP packets can take care of fixing the MTU size, but when such ICMPs are blocked by a firewall or an access list somewhere along the path that the IPsec packet takes, issues can arise. The symptoms of these issues are often the inability of users to run applications such as e-mail and large file FTPs across the IPsec tunnel. Figure below shows how Path MTU discovery with IPsec works. If a router in the path of the packet being sent by the end host is unable to transmit the frame using the size of the frame it has received, it sends back an ICMP packet to the end host, asking for the packet size to be reduced to the maximum size the router can support. The end host then transmits the packets in frames of reduced size, which the router can transmit. This process is repeated as necessary by all the routers in the path of the packets transmitted by the end host.
Figure . IPsec Path MTU
graphics/24fig03.gif

However, there are situations in which the ICMP packets generated in the fashion previously described are blocked (perhaps by a firewall) from reaching the end host. Therefore, the end host never finds out that there is a problem with the MTU of the packets it is sending and continues sending frames with the large MTU size resulting in these large packets being dropped by the device which does have an MTU size large enough to accommodate these packets. Another situation arises when the end host does receive the ICMP packets but due to a bug or faulty implementation of the TCP/IP stack does not reduce its MTU size. The result is the same as described for ICMPs being blocked from reaching the end host.
In both of these cases, two options remain for the network administrator to fix the problem:
  • Setting up the TCP MSS on an edge router, forcing a small TCP MSS to be negotiated
  • Manually reducing the MTU on the end hosts that are not receiving the ICMP packets or are choosing to ignore them
To use either of these methods, you must know how to calculate the size of the packet after the IPsec header has been added. The following formula is used to calculate the size to which the original IP packet must be restricted to remain within the smallest MTU available on the path that is traversed by the IPsec tunnel:

maximum original packet size allowed = floor((IPsec packet size allowed),8) - (IPsec header+SPI+sequence number+HMAC) - (IV+pad+pad length+next header)
where

IPsec header = 20 bytes in ESP tunnel mode


SPI (Security Parameter Index) = 4 bytes


Sequence number = 4 bytes


ESP-HMAC MD5/SHA 96 digest = 12 bytes


IV (Initialization Vector) = 8 bytes


Pad = 1 byte


Pad length = 1 byte


Next header = 1 byte


The floor function here is calculated by finding the largest whole number (a number such as 1200.0 or 1300.0, not 1200.345 or 1300.897) that is fully divisible by 8 and that is less than "IPsec packet size allowed." For example, if the IPsec packet size allowed is 876, the floor to 8 would be 872, because 872 is fully divisible by 8 (872 / 8 = 109.0) and 872 is the largest such number that is less than 876.

A sample calculation is shown next. In this case, the network administrator has found out that the smallest MTU on the IPsec tunnel path is 1330 bytes:

maximum original packet size allowed = floor((1330),8) - (20+4+4+12) - (8-1-1-1) = 1328 - 40 - 11 = 1277
Therefore, the network administrator can manually configure the end host not to send a packet larger than 1277 bytes.
If the network administrator does not want to change the MTU on the end host, such as when there are too many of them, he or she can use the tcp mss command on the router's ingress interface. The router for the default gateway for the end hosts is:

ip tcp adjust-mss number


This command forces the router to sniff on the incoming TCP SYN packets and tweak the TCP MSS field to the number configured in this command. With the MSS value tweaked, the two end hosts sitting behind the two IPsec peers must agree to this tweaked, negotiated TCP MSS value.
The number is calculated by taking into account the size of the TCP header in the packet. The calculation is as follows:

Maximum TCP MSS value allowed = maximum original packet size allowed - 40
So, in the case of our example, the TCP MSS number would be 1277 - 40 = 1237 bytes.

No comments:

Post a Comment