[Openswan dev] [Openswan Users] KLIPS MTU problem

Wolfgang Nothdurft wolfgang at linogate.de
Wed Jul 13 10:04:34 EDT 2011 

Am 13.07.2011 15:38, schrieb Wolfgang Nothdurft:
> Am 29.06.2011 12:50, schrieb Paul Overton:
>> Paul,
>>
>> Many thanks for your reply and that of Roel.
>>
>> I can confirm that protostack=klips is configured, and that the servers in question were using klips. 
>>
>> I have done some tests using 2.6.31, 2.6.33 and 2.6.34.
>>
>> From what I see, the overridemtu= setting works up to 2.6.31.
>>
>> 2.6.33 ignores both mtu= within the connection specific settings and overridemtu= as a global setting.
>>
>> 2.6.34 sets the route specific MTU by using iproute2, but seems to ignore the overridemtu setting.
>>
>> I note that when using versions 2.6.31 or earlier, the MTU of the ipsecx interface is set when klips starts up if the overridemtu directive is set. In Versions 2.6.33 and 2.6.34 the MTU of the ipsecx interface does not change even if overridemtu is set.
>>
>> Regards Paul
>>
>> -----Original Message-----
>> From: Paul Wouters [mailto:paul at xelerance.com] 
>> Sent: 28 June 2011 15:48
>> To: Paul Overton
>> Cc: users at openswan.org
>> Subject: Re: [Openswan Users] KLIPS MTU problem
>>
>> On Tue, 28 Jun 2011, Paul Overton wrote:
>>
>>> I have been using openswan for a number of years and generally have no issues with stability etc.
>>>
>>> However I have one location where NAT-T and fragmentation are an issue. The host network provides a 1:1 NAT with a real world IP address for all clients (This is a
>>> business centre). The Business centre external firewall blocks and drops all fragmented frames at 1420 bytes.
>>>
>>> In Openswan (KLIPS) I have used the “overridemtu=” setting to produce a tunnel which never allows the UDP encap frames to fragment, however I have found that
>>>  opensewan 2.6.33 ignores this directive.
>>>
>>> Has this command been removed, negated or replaced ?
>>
>> Not intentionally. Are you perhaps using the mast stack by accident? Set protostack=klips to ensure
>> you are using klips and not mast. Also if possible, use openswan 2.6.34.
>>
>> If you still have the issue, do you see a "fixup mtu" line on startup?
>>
>> Paul
>>
> this was broken with the change from ifconfig to the ip command in:
> 
> http://git.openswan.org/cgi-bin/gitweb.cgi?p=openswan.public/.git;a=commitdiff;h=27b18776321417bc8e244d0b35a177f09ece7547
> 
> here is a fix.
> 
> --- programs/_startklips/_startklips.in 2011-07-13 15:31:10.000000000 +0200
> +++ programs/_startklips/_startklips.in 2011-07-13 15:32:04.000000000 +0200
> @@ -261,7 +261,7 @@
>                                 cmd = cmd " dev " virt "> /dev/null"
>                                 system(cmd)
>                         }' phys=$phys virt=$virt
> -               ip link set up dev $virt
> +               ip link set up mtu $pyhs_mtu dev $virt
>          fi
> 
>          # Double check the mtu is not 0 - if it is set it to a saner
> default
> 
> 
> Wolfgang

sorry for the typo, it must be $phys_mtu

--- programs/_startklips/_startklips.in 2011-07-13 15:31:10.000000000 +0200
+++ programs/_startklips/_startklips.in 2011-07-13 15:53:28.000000000 +0200
@@ -261,7 +261,7 @@
                                cmd = cmd " dev " virt "> /dev/null"
                                system(cmd)
                        }' phys=$phys virt=$virt
-               ip link set up dev $virt
+               ip link set up mtu $phys_mtu dev $virt
         fi

         # Double check the mtu is not 0 - if it is set it to a saner
default

More information about the Dev mailing list