[Openswan Users] Hung sessions in 2.1. under 2.6.7
shane at howsyournetwork.com
Thu Aug 26 12:09:25 CEST 2004
Paul Wouters <paul at xelerance.com> [2004-08-26 18:54]:
> Just for my understanding, what was running on the workstation (OS and
> ipsec?) and what was running on the laptop?
Here's a crude diagram:
Linux Workstation<-->Laptop<--->VPN<--->Concentrator<--->Remote Network
So, the Linux workstation is running Gentoo Linux (2.6.8 kernel), but it isn't doing any ipsec at all (none in the kernel, no openswan installed). The Laptop/Firewall is also running Gentoo (2.6.7 hardened kernel) and it has Openswan 2.1.4. The concentrator is a Cisco VPN 3060 Concentrator.
I was able to resolve the problem by changing the MTU on the Linux workstation to 1400.
> See openswan-dev, it's been hacked togehter by Nate already. Now
> Michael gets to properly fix the things Nate found.
That's good news.
> I think the problem here might actually be the path-mtu discovery
> failing in the 2.6 kernel with native ipsec. So lowering the mtu on
> that end doesn't help, since the other end is still talking to a
> broken path-mtu discovery machine. But once you lower the mtu on the
> remote end, path-mtu failure doesn't matter, since the mtu is small
> enough to begin with.
That makes perfect sense. I just finished compiling 2.6.8 on the firewall, I'll reboot and reply.
Shane Hickey <shane at howsyournetwork.com>: Network/System Consultant
GPG KeyID: 777CBF3F
Key fingerprint: 254F B2AC 9939 C715 278C DA95 4109 9F69 777C BF3F
Listening to: Tangerine Dream - Origin of Supernatural Probabilities
More information about the Users