R1-FG1101E # show vpn ipsec phase1-interface ToR2
config vpn ipsec phase1-interface
edit "ToR2"
set type dynamic
set interface "port16"
set peertype any
set net-device disable
set proposal aes128-sha256
set **ip-fragmentation pre-encapsulation**
set dpd on-idle
set psksecret ENC ttVqkpX/2tOX2sIjIHjVVulGhE/F6wAy3C9+i7Kni9OiE6i8UWaPcuHTUJSElS4EDQMdnWDlo8pvrTWvKfly8SisLvAaPqZit3F0xVuR9Hv0ESir0ZdW+HrVonBr4uAWXgBKSWVHSVN1dm5EV2enmYrz0GN05DednWpe3lx9UWLw9rWcnQxLgUeF31G9kyQ9GGCF0A==
next
end
R1-FG1101E # show vpn ipsec phase2-interface ToR2
config vpn ipsec phase2-interface
edit "ToR2"
set phase1name "ToR2"
set proposal **aes256-sha256**
next
end
R2-FG1101E # show vpn ipsec phase1-interface ToR1
config vpn ipsec phase1-interface
edit "ToR1"
set interface "port16"
set peertype any
set net-device disable
set exchange-interface-ip enable
set proposal aes128-sha256
set **ip-fragmentation pre-encapsulation**
set dpd disable
set remote-gw 100.0.0.2
set psksecret ENC Lv4Etajj6H2abp3coiBKezA+1aP7epa+KIUb6TpVECqC/MO8vweHdqW4mTfE+PJnm3xmywcheaxr7r/jNRimIuRbripGvAdvk9V8ezgTsInYXXWmmt1+twvGPPxfCKUxGHHJHVgozsun3uH5TMDmMwmgRkWL0sq7YR+Zv5lyrDhi7XZcJdioL60aa3RCqNyzc+hZYw==
next
end
R2-FG1101E # show vpn ipsec phase2-interface ToR1
config vpn ipsec phase2-interface
edit "ToR1"
set phase1name "ToR1"
set proposal **aes256-sha256**
set auto-negotiate enable
set src-subnet 10.1.87.0 255.255.255.0
set dst-subnet 10.0.86.0 255.255.255.0
next
end
FW1的物理口三层MTU为1500:
R1-FG1101E # diagnose netlink interface list | grep port16
if=port16 family=00 type=1 index=39 **mtu=1500** link=0 master=0
FW1的Tunnel SA MTU为1438:
R1-FG1101E # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=ToR2_0 ver=1 serial=3 100.0.0.2:0->100.0.3.2:0 dst_mtu=1500
bound_if=39 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/136 options[0088]=npu rgwy-chg run_state=1 accept_traffic=1 overlay_id=0
parent=ToR2 index=0
proxyid_num=1 child_num=0 refcnt=5 ilast=52 olast=52 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=33
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ToR2 proto=0 sa=1 ref=2 serial=1 add-route
src: 0:10.0.86.0-10.0.86.255:0
dst: 0:10.1.87.0-10.1.87.255:0
SA: ref=3 options=2a6 type=00 soft=0 **mtu=1438** expire=41150/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=43188/43200
dec: spi=fa5e68e8 esp=aes key=32 2fba3ebbb0b8d1a54818b1822ada89e22009ff74e8ce3fccd2d1e83197335280
ah=sha256 key=32 c5ad2089ccede65200b501b0bbdc8b282389e008eb3334ccb82b203bf3da6139
enc: spi=e62da195 esp=aes key=32 6d18b2eb2554fcd8929ad532d5e9d70499e0afd65d7832d153aedd476b919259
ah=sha256 key=32 f0b1fb2f41ccb3825cb8da3693ee8637ea0cfb83442fbacec3abb8a5ffd93e64
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=100.0.3.2 npu_lgwy=100.0.0.2 npu_selid=2 dec_npuid=0 enc_npuid=0
FW1的Tunnel Interface MTU为1438,与Tunnel SA MTU一致:
R1-FG1101E # diagnose netlink interface list | grep ToR2
if=ToR2 family=00 type=768 index=50 **mtu=1438** link=0 master=0
使用PC1 Ping PC2,在FW1上查看该流量的路由缓存PMTU为1438,与Tunnel Interface MTU一致:
R1-FG1101E # diagnose ip rtcache list | grep 10.1.87.222 -A 1
10.1.87.222@50(ToR2)->10.0.86.221@37(port14) gwy=0.0.0.0 prefsrc=192.168.84.11
ci: ref=2 lastused=9 expire=0 err=00000000 used=3 br=0 pmtu=1500
--
**10.0.86.221@37(port14)->10.1.87.222@50(ToR2)** gwy=0.0.0.0 prefsrc=10.0.86.1
ci: ref=2 lastused=9 expire=0 err=00000000 used=4 br=0 **pmtu=1438**
FW2的Tunnel SA MTU为1438:
R2-FG1101E # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=ToR1 ver=1 serial=1 100.0.3.2:0->100.0.0.2:0 dst_mtu=1500
bound_if=39 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=11 ilast=35 olast=35 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=off on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ToR1 proto=0 sa=1 ref=2 serial=10 auto-negotiate
src: 0:10.1.87.0/255.255.255.0:0
dst: 0:10.0.86.0/255.255.255.0:0
SA: ref=3 options=18225 type=00 soft=0 **mtu=1438** expire=40815/0B replaywin=0
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42897/43200
dec: spi=e62da195 esp=aes key=32 6d18b2eb2554fcd8929ad532d5e9d70499e0afd65d7832d153aedd476b919259
ah=sha256 key=32 f0b1fb2f41ccb3825cb8da3693ee8637ea0cfb83442fbacec3abb8a5ffd93e64
enc: spi=fa5e68e8 esp=aes key=32 2fba3ebbb0b8d1a54818b1822ada89e22009ff74e8ce3fccd2d1e83197335280
ah=sha256 key=32 c5ad2089ccede65200b501b0bbdc8b282389e008eb3334ccb82b203bf3da6139
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=100.0.0.2 npu_lgwy=100.0.3.2 npu_selid=9 dec_npuid=0 enc_npuid=0
run_tally=1
FW2的Tunnel Interface MTU为1438,与Tunnel SA MTU一致:
R2-FG1101E # diagnose netlink interface list | grep ToR1
if=ToR1 family=00 type=768 index=50 **mtu=1438** link=0 master=0
首先验证下在Tunnel MTU极限值的情况下,是否会产生分片。目前Tunnel Interface MTU为1438,也就是说被加密原始明文最大为1438 Bytes(不包含任何ESP封装)。我们使用PC1 Ping PC2来测试,datasize = 1438 - 20(Original IP Header) - 8(ICMP Header) = 1410。
[root@CentOS-1 ~]# ping 10.1.87.222 **-s 1410** -c 1 -M dont
PING 10.1.87.222 (10.1.87.222) 1410(**1438**) bytes of data.
1418 bytes from 10.1.87.222: icmp_seq=1 ttl=62 time=1.24 ms
--- 10.1.87.222 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.245/1.245/1.245/0.000 ms
关闭Router (R1-FG601E)的芯片加速功能,同时在Router上抓取4和6格式的ESP报文。
格式4,可以看到FW1发出的ESP未产生分片:
RACK1-FG601E # diagnose sniffer packet any 'host 100.0.3.2' 4
interfaces=[any]
filters=[host 100.0.3.2]
5.770176 port7 in 100.0.0.2 -> 100.0.3.2: ESP(spi=0xe62da195,seq=0x3)
5.770205 port8 out 100.0.0.2 -> 100.0.3.2: ESP(spi=0xe62da195,seq=0x3)
5.770743 port8 in 100.0.3.2 -> 100.0.0.2: ESP(spi=0xfa5e68e8,seq=0x3)
5.770754 port7 out 100.0.3.2 -> 100.0.0.2: ESP(spi=0xfa5e68e8,seq=0x3)