<div dir="ltr"><div style><div>Trying with your rule send a message in dmesg: xt_TCPMSS: Only works on TCP SYN packets</div><div><br></div><div>then I found this page: <a href="http://c3tech.com.ar/blog/?p=327">http://c3tech.com.ar/blog/?p=327</a></div>
<div><br></div><div>with this I set this rule</div><div><br></div><div>iptables -I POSTROUTING -t nat -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</div><div><br></div><div>This works perfect now.</div><div>
<br></div><div>Thanks for your help.</div></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div>--<div>Alonso Manilla</div></div>
<br><br><div class="gmail_quote">2013/5/9 Leto <span dir="ltr"><<a href="mailto:letoams@gmail.com" target="_blank">letoams@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto"><div><br></div><div>You have am mtu problem: try:</div><div><br></div><div>iptables -I FORWARD -p tcp -j TCPMSS --clamp-mss-to-pmtu</div><div><br></div><div><br><br>sent from a tiny device </div><div><div class="h5">
<div><br>On 2013-05-09, at 13:56, Alonso Manilla <<a href="mailto:alonso.manilla@gmail.com" target="_blank">alonso.manilla@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">Hi,<div><br>
</div>
<div><div>I have a vpn up from a linux (ubuntu 12.04 kernel 3.2) to a stonegate provider with this ipsec.conf:<br></div><div><br></div><div><div>################ /etc/ipsec.conf ###################</div>
<div>version 2.0 </div><div>config setup</div><div><span style="white-space:pre-wrap"> </span>plutoopts="--perpeerlog"</div><div><span style="white-space:pre-wrap"> </span>dumpdir=/var/run/pluto/</div><div><span style="white-space:pre-wrap"> </span>nat_traversal=yes</div>
<div><span style="white-space:pre-wrap"> </span>virtual_private=%v4:<a href="http://128.9.0.0/16,%v4:172.22.11.10/32" target="_blank">128.9.0.0/16,%v4:172.XX.XX.XX/32</a></div><div><span style="white-space:pre-wrap"> </span>oe=off</div>
<div><span style="white-space:pre-wrap"> </span>protostack=netkey</div><div><span style="white-space:pre-wrap"> </span>plutostderrlog=/var/log/debug/pluto.log</div><div><span style="white-space:pre-wrap"> </span>interfaces=%defaultroute</div>
<div>conn burocredito</div><div> type=tunnel</div><div>######### ubuntu</div><div> left=85.YY.YYY.YYY</div><div> leftsubnet=<a href="http://172.22.11.10/32" target="_blank">172.XX.XX.XX/32</a></div><div>
leftnexthop=%defaultroute</div><div>######### stonegate</div><div> right=200.76.208.137</div><div> rightid=128.100.100.1</div><div> rightsubnet=<a href="http://128.9.0.0/16" target="_blank">128.9.0.0/16</a></div>
<div> rightnexthop=%defaultroute</div><div> pfs=yes</div><div> auto=start</div><div> ike=3des-md5;modp1024</div><div> keylife=60m</div><div> authby=secret</div><div> ikelifetime=1440m</div>
<div> esp=3des-md5</div><div> compress=no</div><div> forceencaps= yes</div><div><br></div></div><div><br></div><div>I send a ping and its ok, but when I send a telnet info I lost the answer from the stonegate.</div>
<div><br></div><div>Using tcpdump I can see the data (xml for webservices) is there but I can't forward to browser (webservices) or to console (telnet), this is what I get:</div><div><br></div><div><div><font size="1">11:49:33.139349 IP 128.9.55.102.9080 > 172.XX.XX.XX.53442: Flags [.], ack 1939285834, win 54, options [nop,nop,TS val 3424378112 ecr 26675747], length 0</font></div>
<div><font size="1">E..4..@.>....<span style="white-space:pre-wrap"> </span>7f...</font></div><div><font size="1">#x....|.s.'J...6.......</font></div><div><font size="1">......</font></div><div><font size="1">#</font></div>
<div><font size="1">11:49:36.687277 IP 128.9.55.102.9080 > 172.XX.XX.XX.53464: Flags [S.], seq 3217152997, ack 1868879689, win 5792, options [mss 1460,sackOK,TS val 3424381659 ecr 26676634,nop,wscale 7], length 0</font></div>
<div><font size="1">E..<..@.>..,.<span style="white-space:pre-wrap"> </span>7f...</font></div><div><font size="1">#x......od.I....%..........</font></div><div><font size="1">......</font></div><div><font size="1">11:49:36.871684 IP 128.9.55.102.9080 > 172.XX.XX.XX.53464: Flags [.], ack 183, win 54, options [nop,nop,TS val 3424381818 ecr 26676674], length 0</font></div>
<div><font size="1">E..40.@.>....<span style="white-space:pre-wrap"> </span>7f...</font></div><div><font size="1">#x......od.....6i......</font></div><div><font size="1">...z..</font></div><div><font size="1">11:49:37.010269 IP 128.9.55.102.9080 > 172.XX.XX.XX.53464: Flags [P.], seq 1449:2381, ack 183, win 54, options [nop,nop,TS val 3424381862 ecr 26676674], length 932</font></div>
<div><font size="1">E...0.@.>....<span style="white-space:pre-wrap"> </span>7f...</font></div><div><font size="1">#x......od.....6.......</font></div><div><font size="1">.tput message="tns:consultaXMLResponse"></font></div>
<div><font size="1"> </output></font></div><div><font size="1"> </operation></font></div><div><font size="1"> </portType></font></div><div><font size="1"> <binding name="WSConsultaPortBinding" type="tns:WSConsultaDelegate"></font></div>
<div><font size="1"> <soap:binding style="document" transport="<a href="http://schemas.xmlsoap.org/soap/http" target="_blank">http://schemas.xmlsoap.org/soap/http</a>"/></font></div><div><font size="1"> <operation name="consultaCC"></font></div>
<div><font size="1"> <soap:operation soapAction=""/></font></div><div><font size="1"> <input></font></div><div><font size="1"> <soap:body use="literal"/></font></div>
<div><font size="1"> </input></font></div><div><font size="1"> <output></font></div><div><font size="1"> <soap:body use="literal"/></font></div><div><font size="1"> </output></font></div>
<div><font size="1"> </operation></font></div><div><font size="1"> <operation name="consultaXML"></font></div><div><font size="1"> <soap:operation soapAction=""/></font></div>
<div><font size="1"> <input></font></div><div><font size="1"> <soap:body use="literal"/></font></div><div><font size="1"> </input></font></div><div><font size="1"> <output></font></div>
<div><font size="1"> <soap:body use="literal"/></font></div><div><font size="1"> </output></font></div><div><font size="1"> </operation></font></div><div><font size="1"> </binding></font></div>
<div><font size="1"> <service name="WSConsultaService"></font></div><div><font size="1"> <port name="WSConsultaPort" binding="tns:WSConsultaPortBinding"></font></div><div><font size="1"> <soap:address location="<a href="http://128.9.55.102:9080/WSConsultaBCC/WSConsultaService" target="_blank">http://128.9.55.102:9080/WSConsultaBCC/WSConsultaService</a>"/></font></div>
<div><font size="1"> </port></font></div><div><font size="1"> </service></font></div><div><font size="1"></definitions></font></div><div><font size="1"><br></font></div><div><font size="1"><br></font></div>
<div><font size="1">11:49:37.010488 IP 128.9.55.102.9080 > 172.XX.XX.XX.53464: Flags [FP.], seq 2381:2386, ack 183, win 54, options [nop,nop,TS val 3424381864 ecr 26676674], length 5</font></div><div><font size="1">E..90.@.>....<span style="white-space:pre-wrap"> </span>7f...</font></div>
<div><font size="1">#x.....2od.....6.......</font></div><div><font size="1">.0....</font></div><div><font size="1"><br></font></div><div><font size="1"><br></font></div><div><font size="1">11:50:06.868990 IP 128.9.55.102.9080 > 172.</font><span style="font-size:x-small">XX.XX.XX</span><font size="1">.53464: Flags [.], ack 184, win 54, options [nop,nop,TS val 3424411845 ecr 26684178], length 0</font></div>
<div><font size="1">E..40.@.>....<span style="white-space:pre-wrap"> </span>7f...</font></div><div><font size="1">#x.....8od.....6.......</font></div><div><font size="1">..`...+.</font></div><div><br></div></div><div>
<br>
</div><div>I just try with iptables (I'm not an expert) to forward but I don what else need to make it works.</div><div><br></div><div><br></div><div><div style="font-family:arial,sans-serif;font-size:13px">Can you help me please to find a solution?</div>
</div><div><br></div><div>--<div>Alonso Manilla</div></div>
</div></div>
</div></blockquote></div></div><blockquote type="cite"><div><span>_______________________________________________</span><br><span><a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a></span><br>
<span><a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a></span><br><span>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></span><br>
<span>Building and Integrating Virtual Private Networks with Openswan:</span><br><span><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span><br>
</div></blockquote></div></blockquote></div><br></div>