R1-FG1101E # show vpn ipsec phase1-interface ToR2
config vpn ipsec phase1-interface
edit "ToR2"
set interface "port16"
set peertype any
set net-device disable
set passive-mode enable
set proposal aes128-sha256
**set ip-fragmentation pre-encapsulation**
set remote-gw 100.0.1.2
set psksecret ENC Z8JY4iWGlEVkd9FBHND38mehwVdARcHczR3QcrxWjT60LTWVr1+CirMEFhzQdLZWBK+HWBCsGowDBXAzPqLPd2VfyW4Cl/w1n7Axa0B1e0oh+zTSdKr1auFuCMn/p/IkQpiHCY5AWV1E8GQcteDZ6zv7fpWqnTD0crmVSydT/Qpk5p844Oxgf02k9AfDRcY29j8Gcw==
next
end
R1-FG1101E # show vpn ipsec phase2-interface ToR2
config vpn ipsec phase2-interface
edit "ToR2"
set phase1name "ToR2"
set proposal **aes256-sha256**
next
end
R2-FG1101E # show vpn ipsec phase1-interface ToR1
config vpn ipsec phase1-interface
edit "ToR1"
set interface "port16"
set peertype any
set net-device disable
set exchange-interface-ip enable
set proposal aes128-sha256
set **ip-fragmentation pre-encapsulation**
set dpd disable
set remote-gw 100.0.0.2
set psksecret ENC Lv4Etajj6H2abp3coiBKezA+1aP7epa+KIUb6TpVECqC/MO8vweHdqW4mTfE+PJnm3xmywcheaxr7r/jNRimIuRbripGvAdvk9V8ezgTsInYXXWmmt1+twvGPPxfCKUxGHHJHVgozsun3uH5TMDmMwmgRkWL0sq7YR+Zv5lyrDhi7XZcJdioL60aa3RCqNyzc+hZYw==
next
end
R2-FG1101E # show vpn ipsec phase2-interface ToR1
config vpn ipsec phase2-interface
edit "ToR1"
set phase1name "ToR1"
set proposal **aes256-sha256**
set auto-negotiate enable
next
end
FW1的物理口三层MTU为1500:
R1-FG1101E # diagnose netlink interface list | grep port16
if=port16 family=00 type=1 index=39 **mtu=1500** link=0 master=0
FW1的Tunnel SA MTU为1422:
R1-FG1101E # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=ToR2 ver=1 serial=d 100.0.0.2:4500->100.0.1.2:64916 dst_mtu=1500
bound_if=39 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=11 ilast=1 olast=1 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=silent draft=32 interval=10 remote_port=64916
proxyid=ToR2 proto=0 sa=1 ref=2 serial=2
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=10226 type=00 soft=0 **mtu=1422** expire=42928/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42930/43200
dec: spi=574df73a esp=aes key=32 6ace060b65738247a15d2a0589b750e9de598a4b8a7c5a6f01a3b92dd788657f
ah=sha256 key=32 61d7dfe4412e71aea97b78e9b9de31529a485fcb03b3797faf64ee57f931f5f4
enc: spi=e62da1a7 esp=aes key=32 1e91b65761bfc65c031a70f925907ad32b08d563d6b62a56946d6aadd5330bdf
ah=sha256 key=32 6e82bf17ee1d68e8101f306483721f35eac00d271d595aad0d545f88772f8506
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=100.0.1.2 npu_lgwy=100.0.0.2 npu_selid=d dec_npuid=0 enc_npuid=0
run_tally=1
FW1的Tunnel Interface MTU为1438,这里出现了问题,与Tunnel SA MTU不一致,大了16:
R1-FG1101E # diagnose netlink interface list | grep ToR2
if=ToR2 family=00 type=768 index=56 **mtu=1438** link=0 master=0
使用PC1 Ping PC2,在FW1上查看该流量的路由缓存PMTU为1438,与Tunnel Interface MTU一致:
R1-FG1101E # diagnose ip rtcache list | grep 10.1.87.222 -A 1
10.1.87.222@56(ToR2)->10.0.86.221@37(port14) gwy=0.0.0.0 prefsrc=192.168.84.11
ci: ref=1 lastused=6 expire=0 err=00000000 used=0 br=0 pmtu=1500
--
10.0.86.221@37(port14)->10.1.87.222@56(ToR2) gwy=0.0.0.0 prefsrc=10.0.86.1
ci: ref=1 lastused=6 expire=0 err=00000000 used=0 br=0 **pmtu=1438**
FW2的Tunnel SA MTU为1422:
R2-FG1101E # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=ToR1 ver=1 serial=1 100.0.3.2:4500->100.0.0.2:4500 dst_mtu=1500
bound_if=39 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=13 ilast=297 olast=37 ad=/0
stat: rxp=1 txp=1 rxb=1508 txb=1438
dpd: mode=off on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=32 interval=10 remote_port=4500
proxyid=ToR1 proto=0 sa=1 ref=3 serial=11 auto-negotiate
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=18225 type=00 soft=0 **mtu=1422** expire=42603/0B replaywin=0
seqno=2 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42901/43200
dec: spi=e62da1a7 esp=aes key=32 1e91b65761bfc65c031a70f925907ad32b08d563d6b62a56946d6aadd5330bdf
ah=sha256 key=32 6e82bf17ee1d68e8101f306483721f35eac00d271d595aad0d545f88772f8506
enc: spi=574df73a esp=aes key=32 6ace060b65738247a15d2a0589b750e9de598a4b8a7c5a6f01a3b92dd788657f
ah=sha256 key=32 61d7dfe4412e71aea97b78e9b9de31529a485fcb03b3797faf64ee57f931f5f4
dec:pkts/bytes=1/1438, enc:pkts/bytes=1/1508
npu_flag=03 npu_rgwy=100.0.0.2 npu_lgwy=100.0.3.2 npu_selid=a dec_npuid=2 enc_npuid=2
run_tally=1
FW2的Tunnel Interface MTU为1438,与Tunnel SA MTU不一致:
R2-FG1101E # diagnose netlink interface list | grep ToR1
if=ToR1 family=00 type=768 index=50 **mtu=1438** link=0 master=0
首先验证下在Tunnel MTU极限值的情况下,是否会产生分片。目前Tunnel Interface MTU为1438,也就是说被加密原始明文最大为1438 Bytes。我们使用PC1 Ping PC2来测试,datasize = 1438 - 20(Original IP Header) - 8(ICMP Header) = 1410。
[root@CentOS-1 ~]# ping 10.1.87.222 -c 1 **-s 1410** -M dont
PING 10.1.87.222 (10.1.87.222) 1410(**1438**) bytes of data.
1418 bytes from 10.1.87.222: icmp_seq=1 ttl=62 time=1.22 ms
--- 10.1.87.222 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.224/1.224/1.224/0.000 ms
在FW1上抓取ICMP明文,可以看到ICMP报文进入隧道后未分片:
R1-FG1101E # diagnose sniffer packet any 'host 10.1.87.222' 4
interfaces=[any]
filters=[host 10.1.87.222]
6150.682437 port14 in 10.0.86.221 -> 10.1.87.222: icmp: echo request
6150.682457 ToR2 out 10.0.86.221 -> 10.1.87.222: icmp: echo request