[Design] ICMP processing relevant to IPSEC

From: <sampanna(at)codito.com>
Date: Fri Mar 07 2003 - 10:11:46 EST

Hi,
I've been writing an ipsec stack, using freeswan as the other secure gateway, and setting up a secure connection between my stack and the freeswan server. I've a couple of questions, I hope someone on this list can help me.

1.1. How can I generate out of order ipsec packets, to test my anti-replay code? I need to test my anti-replay code, how can I do that? 2. Also, does Freeswan handle ICMP processing, relevant to IPSEC, as described in rfc2401? I did not quite understand that .. the only solution I could think of would end up throttling the ipsec connection.

mtu=1500 a---------gw1======gw2-------------------b mtu=1000


                             |---------------------c mtu=500


                             |---------------------d mtu=1400

gw1 is a's secure gateway, gw2 is the secure gateway for b, c and d.

Will not the secure pipe get throttled to 500, if a sends a packet of (1500-gw1header_size) to each of them in turn? Like,
a sends to b, gw1 gets an icmp error, with mtu=1000, and stores it in the sa, passes it to a when next it tries to ping b. When a tries to ping d, gw1 will see that the packet is going on an sa with mtu 1000, and send an icmp error message with mtu=1000 to a, though its possible to send 1400 in this case! or am I wrong?

Thank you,
-sam

---

Design mailing list
Design@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/design Received on Fri Mar 7 11:03:52 2003