[Openswan Users] Openswan, ADSL and slow connections
Gary W. Smith
gary at primeexalia.com
Fri Nov 11 10:11:27 CET 2005
We had a similar problem with large packets over IPSec. As mentioned
below we did put MTU=1400 on both ends and it resolved the problem. It
had something to do with the provider adding an extra 64 bytes of
overhead per packet.
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Paul Wouters
Sent: Friday, November 11, 2005 8:51 AM
To: Andrej Trobentar
Cc: users at openswan.org
Subject: Re: [Openswan Users] Openswan, ADSL and slow connections
On Fri, 11 Nov 2005, Andrej Trobentar wrote:
> client ---- fw1 ------<internet>----- fw2 ---- camera
> Here's the tcpdump trace from 2) :
>
> 08:54:21.306132 192.168.0.1 > 192.168.0.61: icmp: 192.168.15.11
> unreachable - need to frag [tos 0xc0]
> So I guess it has something to do with the fragmentation. I have tried
> to put "overridemtu=1492", "overridemtu=500", "overridemtu=1500", ...
in
> the ipsec.conf on fw2, but with no luck. I have tried to upgrade fw2
to
> openswan 2.4.2rc1, but the problem still exists.
Did you try setting a smaller MU on the *other side* of the link?
> I have attached the ipsec.conf and ifconfig from fw2. Please let me
know
> if you need any more information...
Remember overridemtu only works with klips, not netkey. I am not sure if
you are using klips.
A few things to try:
- lover mtu on both sides using overridemtu= if using klips
- use TCP clamping (see archive or wiki)
- reduce the LAN ethernet mtu's on both ends to about 1400
Paul
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
More information about the Users
mailing list