SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX - IPSec VPN and df-bit configuration

     
    Posted 11-20-2015 07:55

    Hi,

     

    Just curious about what the config parameter "set ipsec vpn xxxx df-bit clear" is meant to be doing.

    Quoting from KB25625 [http://kb.juniper.net/InfoCenter/index?page=content&id=KB25625&actp=search]:

     

    "The default behavior of DF-bit, when the traffic goes to the IPSec tunnel, is to not change the DF-bit of the inner IP header and clear the DF-bit flag on the outer IP header."

    The default behavior for the outer header is DF=0.

     

    I was looking to clear the DF bit of the inner IP header setting it to 0 in an IPSec VPN setup, same as could be done on a GRE tunnel with "set interfaces gr-x/x/x.x clear-dont-fragment-bit".  I thought "set security ipsec vpn xxxx df-bit clear" would do the trick, but 

     

    #set df-bit ?
    Possible completions:
    clear      Clear DF bit of outer header
    copy      Copy DF bit from inner header
    set         Set DF bit of outer header

     

    Is there any way to clear the DF bit of the inner header in an IPSec VPN tunnel?


    #SRX
    #DF
    #IPSec
    #mtu


  • 2.  RE: SRX - IPSec VPN and df-bit configuration

    Posted 11-22-2015 10:42

    Hi,

     

    I see no reason to set the inner header DF bit value ...

     

    If the DF bit is set in the inner IP header, it MUST be set in the outer IP header; if the DF bit is not set in the inner IP header, it MAY be set in the outer IP header.

     

    Outer IPv4 headerTunnel headersInner IPv4 headerData

     

    Source: http://www.networksorcery.com/enp/protocol/ip-ip.htm

     

    Unless the experts of the forum see something else .

     

     



  • 3.  RE: SRX - IPSec VPN and df-bit configuration

     
    Posted 11-23-2015 01:30

    Hi,

     

    Thanks for the reply.

    Issue being faced is some HTTP application has DF=1 (Dont Fragment) in the IP header and the traffic is being dropped midway to the destination.  If the inner DF-bit is not copied to the outer header in IPSec, ICMP Type 3 Code 4 is not transmitted back to the source by the SRX and traffic is getting dropped.

     

    After adding"set ipsec vpn xxxx df-bit copy" to the IPSec tunnel config, ICMP Type 3 Code 4 is being relayed to the source, allowing for TCP window resizing. Very often ICMP is filtered and relying on ICMP Type 3 Code 4 is not what we want in this case.

     

    Before, copying the DF bit from inner to outer header :-

    When we send ICMP with DF=0 and large sized packets, fragmentation is happening and we are receiving the ICMP replied.

    When we send ICMP with DF=1 and large sized packets, no ICMP replies being received.

     

    This indicates that when DF=0 for large packets, fragmentation is happening and working correctly.

    Was looking for some solution where the original DF bit in the IP header can be cleared.