CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > VPN's (Virtual Private Networks)
VPNs fail when transferring large packets VPNs fail when transferring large packets
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2005-08-12
Administrator
  
Join Date: 2005-08-11
Location: San Francisco, CA
Posts: 582
Rep Power: 10
BarryStiefel has disabled reputation
Default VPNs fail when transferring large packets
VPNs fail when transferring large packets



Some applications set the "Don't Fragment" bit on certain packets. When the IPSEC headers are added onto the already large packet, the packet basically requires fragmentation in order to pass. When Check Point creates the IPSEC packet, the Don't Fragment bit it passed onto the new packet. The end result, a packet that requires fragmentation to pass, but has the Don't Fragment bit set, so can't be fragmented. Packet gets dropped.





Answer In FireWall-1 NG, you can force FireWall-1 to clear the Don’t Fragment bit by changing the ipsec_dont_fragment property in objects_5_0.C to false. You do this with the following commands in dbedit on the management console (craig is the firewall in this example) or use GUIdbedit to change the parameter:



dbedit> modify network_objects craig VPN:ipsec_dont_fragment false dbedit> update network_objects craig

For Solaris In FireWall-1 4.1, you can force FireWall?-1 to clear the Don't Fragment bit by setting the fw_ipsec_dont_fragment kernel variable as follows:

set fw:fw_ipsec_dont_fragment=0x0To make this change without rebooting:

echo "fw_ipsec_dont_fragment?w 0x0" | adb -w -k /dev/ksyms /dev/mem

For HPUX 9 Use the following command and reboot the gateway:

# echo "fw_ipsec_dont_fragment?W0" | adb -w /hp-ux

For HPUX 10 Use the following command and reboot the gateway:

# echo "fw_ipsec_dont_fragment?W0" | adb -w /stand/vmunix

For AIX Use the following commands:

# fwstop # echo "fw_ipsec_dont_fragment?W0" | adb -w $FWDIR/modules/fwmod.4.x.o # fwstart

For Windows NT I do not know how to make this change on NT.

Editors Note: If someone discovers how to do this - please let us know.

For IPSO (VPN-1 Appliance or Nokia IPxxx), you will need to get the 'modzap' utility from Resolution 1261 in Nokia's Knowledge Base. You can then use the following command line to modify the fwhmem parameter and reboot the system:

# modzap -s _fw_ipsec_dont_fragment $FWDIR/modules/fwmod.o 0x0

For Linux Add the following to $FWDIR/boot/modules/fwkern.conf and restart FireWall?-1:

fw_ipsec_dont_fragment=0



-- RobertGraham - 14 Jan 2004

FAQForm FAQs.Class: EncryptionFAQs FAQs.OS: OsAIX, OsSolaris, OsNokiaIPSO, OsHpux, OsLinux FAQs.Version:
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 00:32.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0