| Description |
This article describes how FortiOS treats a packet which is about to traverse an IPsec tunnel interface, but the packet exceeds referenced MTU size. |
| Scope | FortiOS. |
| Solution |
Packets that are too large may be dropped by Internet or private network routers. The exact threshold beyond which packets may be dropped depend on a variety of factors including router configuration and path taken, but is often around 1480 bytes for Internet traffic including encapsulated IPsec traffic.
IP fragmentation is the process of splitting packets into smaller pieces (fragments) so they can pass through a link (interface) with a smaller MTU size than the original packet. It is sometimes necessary to modify the configuration of routers under an administrator's control to ensure only packets below a certain size are sent.
For the purposes of this example, the FortiGate is acting an IPsec gateway and has a tunnel to a remote device. Between the FortiGate and the remote gateway there is an unmanaged router which will drop any packet with a size greater than approximately 1100 bytes. In this case, the FortiGate's configuration should be modified to ensure only smaller packets are sent.
By default, FortiGate is configured to honor the DF bit.
config system global set honor-df enable <----- (Default value). Fragment packets only if the DF bit is 0. end
If the DF bit in the IP header of the packet is set to 1 or ON and the packet size is larger than the MTU of the exit interface, then FortiGate will not fragment IP packets that are larger than the MTU of the exit interface. Instead FortiGate will drop the packet and send a 'fragmentation needed' ICMP message (ICMP type 3 code 4) to the client. Some endpoints rely on the ICMP 'fragmentation needed' message to tune the size of sent packets.
If it is necessary to allow FortiGate to fragment packets which have the DF bit set, then it is necessary to disable 'honor-df' globally.
config system global set honor-df disable <----- Ignore DF bit in IP header. end
With the pre-encapsulation method, FortiGate will compare packet size to the tunnel interface MTU to decide if a packet requires fragmentation. If fragmentation is needed and allowed by DF bit, FortiGate fragments the data packet first, then encrypts and encapsulates each fragment in its own ESP header.
config vpn ipsec phase1-interface edit <IPsec tunnel name> set ip-fragmentation pre-encapsulation next end
Pre-encapsulation hides a packet's fragmented state from intermediate routers, making fragments indistinguishable from other encrypted data traffic. This can be important if one or more of the intermediate routers would drop fragments.
With the post-encapsulation method, FortiGate encrypts and encapsulates the original packet before any fragmentation decision is made. The data packet appears in an IPsec tunnel sniffer in its original form and size.
config vpn ipsec phase1-interface edit <IPsec tunnel name> set ip-fragmentation post-encapsulation next end
The packet is then sent to the data layer for transmission and (possibly) fragmentation. In this case the FortiGate compares the size of the encrypted packet with the MTU of the parent interface of the IPsec tunnel. It does not reference the tunnel MTU for this comparison.
config vpn ipsec phase1-interface edit "IPsec-VPN" set interface "wan1" <--- MTU of "wan1" is used to compare with packet size when post-encap is used. set ip-fragmentation post-encapsulation next end
If fragmentation is required (and allowed), FortiGate will then fragment the encrypted ESP packet into multiple packets. While the packet payload is still encrypted, intermediate routers are able to detect the packets' fragmented state and may drop them in certain cases.
It is not strictly necessary for both sides of an IPsec tunnel to have the same 'ip-fragmentation' and MTU configuration, but if modification is required for data traffic to pass successfully in one direction, it is often required for the other direction as well.
config system interface edit "IPsec-VPN" set type tunnel set mtu-override enable set mtu 1100 set interface "wan1" next end
config system interface edit "wan1" set mtu-override enable set mtu 1100 next end
The default ip-fragmentation setting is post-encapsulation. With post-encapsulation ip-fragmentation, the IP packet is already 'wrapped up' with the IPSec header before being fragmented, resulting in just one fragmented packet carrying the IPsec header while the rest of the fragments are payloads. Modifying the MTU requires making a change on the interface hosting the tunnel. If this is a WAN interface, as is often the case, lowering the MTU will lower it for all WAN traffic not just IPsec tunnel traffic.
Pre-encapsulation is not RFC-compliant but is compatible with most IPsec gateways currently in use. If there is a device in between IPsec gateways that drops IP fragments, it is necessary to conceal the fragments using pre-encapsulation.
Fragmentation method can be seen in the output of 'diagnose vpn tunnel list'.
'set ip-fragmentation post-encapsulation':
bound_if=9 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=sync-primary accept_traffic=1 overlay_id=0
'set ip-fragmentation pre-encapsulation':
bound_if=9 lgwy=static/1 tun=intf mode=auto/1 encap=none/40 options[0028]=npu run_state=0 role=sync-primary accept_traffic=1 overlay_id=0
To verify the MTU size of an interface, use 'diag netlink interface list <name>'.
diag netlink interface list IPsec-VPN if=IPsec-VPN family=00 type=768 index=28 mtu=1100 link=0 master=0 ref=13 state=start present fw_flags=0 flags=up p2p run noarp multicast
For TCP traffic, an alternate method which can be used to enforce a smaller packet size with fragmentation is adjusting MSS. The most common place to configure this on FortiGate is on the firewall policy handling the data traffic.
Note:
|
