Description |
This article describes technical information on how the packet is treated with respect to fragmentation when such a packet is to traverse an IPSec tunnel Interface, but the packet exceeds referenced MTU size. |
Scope | FortiOS. |
Solution |
Assume an MTU size of 1100 bytes for this article.
IP fragmentation is the process of splitting packets into smaller pieces (fragments) so they can pass through a link (interface) with a smaller MTU size than the original packet. There are a number of factors to consider when the intention is to make an oversized IP packet successfully traverse an IPSec tunnel utilizing fragmentation.
Let's look at these factors/scenarios one by one:
A DF bit is a bit within the IP header, that instructs devices (as packet journeys from source to destination) whether fragmentation of this IP packet is allowed or not. DF = 1 (Fragmentation is NOT allowed). DF = 0 (Fragmentation is allowed, if necessary).
By default, FortiOS is set to honor the DF bit. This means if the DF bit (in the IP header) on the IP packet is set to 1 or ON, FortiGate will not fragment those IP packets larger than the MTU size of the interface the packet is traversing. A packet size of 1500 bytes on an interface of 1100 bytes MTU for instance, will be dropped in this scenario. With respect to honoring the DF bit value, below is FortiGate's default setting.
config system global set honor-df enable <- This means honor whatever DF bit is set on the packet. end
If wanting the packet fragmented on FortiGate irrespective of the DF bit value, then it is necessary to disable the 'honor-df'.
If the MTU size is defined under the IPSec tunnel interface, with default settings on ip-fragmentation of IPSec phase1 settings, the packet will NOT be fragmented, as the post-encapsulation method have no effect on IPsec tunnel interface's MTU. For fragmentation to take place in this case, it is necessary to change to pre-encapsulation under IPSec phase1-interface settings.
config vpn ipsec phase1-interface edit <name> set ip-fragmentation pre-encapsulation end
This assumed the DF bit is off (0).
If the MTU size is defined under the physical interface, and the DF bit is set to off or zero, then any IP packet larger than 1100 bytes, will be fragmented with ip-fragmentation default setting of post-encap.
But be aware that this will affect ALL packets passing through this physical interface and not only the IPSec bound or encrypted packets. If the DF bit is set to 1 or ON, and honor-df is enabled, the packet will be dropped.
Details on pre or post-encapsulation ip-fragmentation. The default ip-fragmentation setting is post-encapsulation as that is RFC compliant. With post-encapsulation ip-fragmentation, the IP packet is already 'wrapped up' with the IPSec header before being fragmented, resulting in just one fragmented packet carrying the IP header while the rest of the fragments are payloads. The opposite is the case for pre-encapsulation, each fragmented packet(s) is with an IP header. Below is how to set ip-fragmentation method to pre or post.
config vpn ipsec phase1-interface edit <name> set ip-fragmentation ? pre-encapsulation <- Fragment before IPsec encapsulation. post-encapsulation <- Fragment after IPsec encapsulation. ... end
If the goal is fragmenting with the default ip-fragmentation setting under IPsec phase 1 (post-encap), it is necessary to know that the MTU defined under the IPSec tunnel interface has no effect on post-encap method.
Therefore, to fragment to an MTU size of 1100 bytes with post-encap method for instance, it is necessary to define this value on the physical interface, which the IPSec tunnel is configured. If the goal is to have only IPSec traffic impacted, then change the ip-frag method to pre-encap.
In the below IPSec config, the wan1 MTU size needs to be defined or set to 1100, for IP fragmentation to work with post-encapsulation:
config vpn ipsec phase1-interface edit "IPSec-VPN" set interface "wan1" <- need to set MTU size on this port to 1100. set peertype any set net-device disable set proposal aes128-sha256 set remote-gw 10.10.10.10 set psksecret xxxxxxxx next end
If it is okay with pre-encapsulation method, then set the MTU size on the IPSec tunnel interface as shown below.
config system interface edit "IPSec-VPN" set vdom "root" set type tunnel set mtu-override enable <<<<<<<< set mtu 1100 <<<<<<< set interface "wan1" next end
To check the MTU size of an interface, use 'diag netlink interface list <name>'.
diag netlink interface list IPSec-VPN if=IPSec-VPN family=00 type=768 index=28 mtu=1100 link=0 master=0 ref=13 state=start present fw_flags=0 flags=up p2p run noarp multicast
Note: If not getting desired or expected frag result, check if the IP packet DF bit is ON, or if FortiOS honor-df is enabled. It is possible to change the settings until achieving the desired frag result. Capturing and analyzing the packets with Wireshark will give a detailed picture of what is taking place. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.