current-users: Re: problem with ipsec tunnel fragmentation

Subject: Re: problem with ipsec tunnel fragmentation
To: Brett Lymn <blymn@baesystems.com.au>
From: Greg Troxel <gdt@ir.bbn.com>
List: current-users
Date: 11/12/2007 11:19:35

  22:16:39.453531 IP (tos 0x0, ttl 127, id 7021, offset 0, flags [DF], proto TCP (6), length 40) 192.168.2.254.ms-wbt-server > 192.168.169.129.capioverlan: ., cksum 0x92fa (correct), ack 2108 win 64917
  22:16:39.770892 IP (tos 0x0, ttl 127, id 7022, offset 0, flags [+], proto TCP (6), length 540) 192.168.1.253.65145 > 192.168.169.129.capioverlan: . 4220967112:4220967612(500) ack 1262729909 win 65535
  22:16:39.771000 IP (tos 0x0, ttl 127, id 7022, offset 520, flags [none], proto TCP (6), length 56) 192.168.1.253 > 192.168.169.129: tcp

hmm, it doesn't look like those sequence numbers match up, but not sure
if you used -S on tcpdump to keep it from noticing the first one and
going relative.

My current guess is that when the 'esp fragmentation happens', which
seesm to be fragmenting the packet going into the tunnel, that the nat
isn't happening.