<aside> 💡 这里为什么换成了7.0.3 GA版本呢?因为使用6.4.7 GA测试发现,使用此算法组合时,Tunnel SA的MTU计算是正确的1422,但Tunnel Interface MTU仍为1438,由于预分片是根据Tunnel Interface MTU进行的,所以仍然会产生AES256-SHA256 (NAT-T)测试中产生ESP分片的情况。所以我们换成7.0.3 GA进行测试,同时也方便最后总结版本上的差异。
</aside>
R1-FG1101E # show vpn ipsec phase1-interface ToR2
config vpn ipsec phase1-interface
edit "ToR2"
set interface "port16"
set peertype any
set net-device disable
set passive-mode enable
set proposal aes128-sha256
set **ip-fragmentation pre-encapsulation**
set remote-gw 100.0.1.2
set psksecret ENC Z8JY4iWGlEVkd9FBHND38mehwVdARcHczR3QcrxWjT60LTWVr1+CirMEFhzQdLZWBK+HWBCsGowDBXAzPqLPd2VfyW4Cl/w1n7Axa0B1e0oh+zTSdKr1auFuCMn/p/IkQpiHCY5AWV1E8GQcteDZ6zv7fpWqnTD0crmVSydT/Qpk5p844Oxgf02k9AfDRcY29j8Gcw==
next
end
R1-FG1101E # show vpn ipsec phase2-interface ToR2
config vpn ipsec phase2-interface
edit "ToR2"
set phase1name "ToR2"
set proposal **aes256-sha384**
next
end
R2-FG1101E # show vpn ipsec phase1-interface ToR1
config vpn ipsec phase1-interface
edit "ToR1"
set interface "port16"
set peertype any
set net-device disable
set exchange-interface-ip enable
set proposal aes128-sha256
set **ip-fragmentation pre-encapsulation**
set dpd disable
set remote-gw 100.0.0.2
set psksecret ENC Lv4Etajj6H2abp3coiBKezA+1aP7epa+KIUb6TpVECqC/MO8vweHdqW4mTfE+PJnm3xmywcheaxr7r/jNRimIuRbripGvAdvk9V8ezgTsInYXXWmmt1+twvGPPxfCKUxGHHJHVgozsun3uH5TMDmMwmgRkWL0sq7YR+Zv5lyrDhi7XZcJdioL60aa3RCqNyzc+hZYw==
next
end
R2-FG1101E # show vpn ipsec phase2-interface ToR1
config vpn ipsec phase2-interface
edit "ToR1"
set phase1name "ToR1"
set proposal **aes256-sha384**
set auto-negotiate enable
next
end
FW1的物理口三层MTU为1500:
R1-FG1101E # diagnose netlink interface list | grep port16
if=port16 family=00 type=1 index=39 **mtu=1500** link=0 master=0
FW1的Tunnel SA MTU为1422:
R1-FG1101E # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=ToR2 ver=1 serial=1 100.0.0.2:0->100.0.3.2:0 tun_id=100.0.3.2 dst_mtu=1500 dpd-link=on weight=1
bound_if=39 lgwy=static/1 tun=tunnel/255 mode=auto/1 encap=none/8 options[0008]=npu run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=4 ilast=2 olast=2 ad=/0
stat: rxp=1 txp=1 rxb=164 txb=84
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ToR2 proto=0 sa=1 ref=3 serial=1 auto-negotiate
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=18227 type=00 soft=0 **mtu=1422** expire=42894/0B replaywin=2048
seqno=2 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=3b6accfb esp=aes key=32 35aa534791d9e7017bbf58c9ecc63d4bfca36d07408c4571d12d05d785124fe7
ah=sha384 key=48 4e6f934343ac406d21b0010a5247dfdb9b515fc729baa6c5e113c26e91514e93f721173fbc2cbf1b594186b3d81cb35b
enc: spi=f37d4a4b esp=aes key=32 f4963ec42f27852b1264b383579f8c7efdf35a179ca285a3f0c24e062b2deeac
ah=sha384 key=48 ac51b9d08362060a527a0ad0078313a389261a5312aa311dc623bd05480dc55460dab7b611037e905427ecd55c321ad7
dec:pkts/bytes=1/84, enc:pkts/bytes=1/164
npu_flag=03 npu_rgwy=100.0.3.2 npu_lgwy=100.0.0.2 npu_selid=0 dec_npuid=2 enc_npuid=2
run_tally=0
FW1的Tunnel Interface MTU为1420,比Tunnel SA MTU小2 Bytes,这个没关系,因为SA MTU计算的是最大准确值,Tunnel Interface MTU比它小点也可以保证不会产生ESP分片(其实Tunnel Interface MTU不会从SA MTU继承,7.0版本上,是写死的1420,除非在tunnel接口上override MTU):
R1-FG1101E # diagnose netlink interface list | grep ToR2
if=ToR2 family=00 type=768 index=52 **mtu=1420** link=0 master=0
使用PC1 Ping PC2,在FW1上查看该流量的路由缓存PMTU为1420,与Tunnel Interface MTU一致:
R1-FG1101E # diagnose ip rtcache list | grep 10.1.87.222 -A 1
10.1.87.222@52(ToR2)->10.0.86.221@37(port14) gwy=0.0.0.0 prefsrc=192.168.84.11
ci: ref=1 lastused=2 expire=0 err=00000000 used=0 br=0 pmtu=1500
--
10.0.86.221@37(port14)->10.1.87.222@52(ToR2) gwy=100.0.3.2 prefsrc=10.0.86.1
ci: ref=1 lastused=2 expire=0 err=00000000 used=0 br=0 **pmtu=1420**
FW2的Tunnel SA MTU为1422:
R2-FG1101E # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=ToR1 ver=1 serial=1 100.0.3.2:0->100.0.0.2:0 tun_id=100.0.0.2 dst_mtu=1500 dpd-link=on weight=1
bound_if=39 lgwy=static/1 tun=tunnel/255 mode=auto/1 encap=none/8 options[0008]=npu run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=3 ilast=321 olast=43 ad=/0
stat: rxp=1 txp=2 rxb=164 txb=168
dpd: mode=off on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ToR1 proto=0 sa=1 ref=3 serial=2 auto-negotiate
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=18225 type=00 soft=0 **mtu=1422** expire=42609/0B replaywin=0
seqno=3 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42931/43200
dec: spi=f37d4a4b esp=aes key=32 f4963ec42f27852b1264b383579f8c7efdf35a179ca285a3f0c24e062b2deeac
ah=sha384 key=48 ac51b9d08362060a527a0ad0078313a389261a5312aa311dc623bd05480dc55460dab7b611037e905427ecd55c321ad7
enc: spi=3b6accfb esp=aes key=32 35aa534791d9e7017bbf58c9ecc63d4bfca36d07408c4571d12d05d785124fe7
ah=sha384 key=48 4e6f934343ac406d21b0010a5247dfdb9b515fc729baa6c5e113c26e91514e93f721173fbc2cbf1b594186b3d81cb35b
dec:pkts/bytes=1/84, enc:pkts/bytes=2/328
npu_flag=03 npu_rgwy=100.0.0.2 npu_lgwy=100.0.3.2 npu_selid=1 dec_npuid=2 enc_npuid=2
run_tally=0
FW2的Tunnel Interface MTU为1420,比Tunnel SA MTU少2 Bytes:
R2-FG1101E # diagnose netlink interface list | grep ToR1
if=ToR1 family=00 type=768 index=52 **mtu=1420** link=0 master=0
首先验证下在Tunnel MTU极限值的情况下,是否会产生分片。目前Tunnel Interface MTU为1420,也就是说被加密原始明文最大为1420 Bytes。我们使用PC1 Ping PC2来测试,datasize = 1420 - 20 (Original IP Header) - 8 (ICMP Header) = 1392。
[root@CentOS-1 ~]# ping 10.1.87.222 **-s 1392** -c 1 -M dont
PING 10.1.87.222 (10.1.87.222) 1392(**1420**) bytes of data.
1400 bytes from 10.1.87.222: icmp_seq=1 ttl=62 time=0.736 ms
--- 10.1.87.222 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.736/0.736/0.736/0.000 ms
关闭Router(R1-FG601E)的芯片加速功能,同时在Router上抓取4和6格式的ESP报文。