How to force VPN-1/FireWall-1 4.1 to fragment encrypted packets when running on Windows NT 4.0, Solaris, Linux and Nokia

How to force VPN-1/FireWall-1 4.1 to fragment encrypted packets
when running on Windows NT 4.0, Solaris, Linux and Nokia

To force VPN-1/FireWall-1 4.1 to fragment encrypted packets on Windows NT 4.0, it is necessary to modify the system registry. Using regedt32, complete the following steps:

1. Navigate to "HKey_Local_Machine\System\CurrentControlSet\Services\FW1\Parameters"
2. Choose Edit, Add value
3. For "Value Name" enter: IPSecAlwaysFragment
4. For "Data Type" enter: REG DWORD
5. Choose OK
6. For "Data", enter: 1
7. Reboot the system

On Solaris

Method 1:
Causes the parameter to return to the default value (1) upon reboot

1. Stop FireWall-1 (fwstop)
2. At the command line, type:
echo "fw_ipsec_dont_fragment?w 0x0" | adb -w -k /dev/ksyms /dev/mem
3. Restart FireWall-1 (fwstart)

Method 2:
1. Open the file /etc/system with a text editor
2. Add the following line at the end of the file:
set fw:fw_ipsec_dont_fragment = 0x0
3. Reboot the machine

On Nokia IPSO(VPN-1 Appliance or Nokia IPxxx)
You will need to get the 'modzap' utility from Resolution 1261 in Nokia's Knowledge Base. You can then use the following command line to modify the fwhmem parameter and reboot the system:

# modzap -s _fw_ipsec_dont_fragment $FWDIR/modules/fwmod.o 0x0

On Linux, add the following to $FWDIR/boot/modules/fwkern.conf and restart FireWall-1:

fw_ipsec_dont_fragment=0

23ST JAN 2003 JIM PARKER

< back