[vpnc-devel] Cisco quirk related to ESP processing ...
mgrooms at shrew.net
Sat Aug 19 20:51:35 CEST 2006
This is my first time posting to this list. I am the author of a free
IPSEC client for windows ( http://www.shrew.net/?page=software ) and a
frequent ipsec-tools contributer. Recently I have been running
compatibility testing with a Cisco ASA as it offers a similar feature
set to the CVS version of racoon ( NATT + XAuth + modecfg + etc ... ).
During testing, I ran into what I believe to be a Cisco only quirk and
thought that maybe this list would be aware of or interested in hearing
about as it may cause problems for vpnc as well.
The issue is related to processing small ESP payloads that end up being
less than 32 bytes including padding. This usually occurs when an IP
packet is fragmented and the remaining datagram is only an ip header and
a few bytes of data. The ASA just seems to drop these packet fragments.
At first I thought I missed something in the RFC's so I ran the same
traffic patterns across NetBSD and FreeBSD which gave me no such
trouble. My work-around is to add some extra padding to the ESP payload
until its >= 32 bytes while still adhering to the normal ESP and cipher
block size alignment rules.
I should mention that the testing was done with ESP256 + SHA1 for
phase2 with NATT enabled. Has anyone on the vpnc development list
noticed this issue? Maybe we can compare notes.
More information about the vpnc-devel