[Openswan Users] Hung sessions in 2.1.[45] under 2.6.7

Shane Hickey shane at howsyournetwork.com
Thu Aug 26 12:09:25 CEST 2004

Paul Wouters <paul at xelerance.com> [2004-08-26 18:54]:
> Just for my understanding, what was running on the workstation (OS and
> ipsec?) and what was running on the laptop?

Here's a crude diagram:

Linux Workstation<-->Laptop<--->VPN<--->Concentrator<--->Remote Network

So, the Linux workstation is running Gentoo Linux (2.6.8 kernel), but it isn't doing any ipsec at all (none in the kernel, no openswan installed).  The Laptop/Firewall is also running Gentoo (2.6.7 hardened kernel) and it has Openswan 2.1.4.  The concentrator is a Cisco VPN 3060 Concentrator.

I was able to resolve the problem by changing the MTU on the Linux workstation to 1400.

> See openswan-dev, it's been hacked togehter by Nate already. Now
> Michael gets to properly fix the things Nate found.

That's good news.
> I think the problem here might actually be the path-mtu discovery
> failing in the 2.6 kernel with native ipsec. So lowering the mtu on
> that end doesn't help, since the other end is still talking to a
> broken path-mtu discovery machine. But once you lower the mtu on the
> remote end, path-mtu failure doesn't matter, since the mtu is small
> enough to begin with.

That makes perfect sense.  I just finished compiling 2.6.8 on the firewall, I'll reboot and reply.

Shane Hickey <shane at howsyournetwork.com>: Network/System Consultant
Key fingerprint: 254F B2AC 9939 C715 278C  DA95 4109 9F69 777C BF3F
Listening to: Tangerine Dream - Origin of Supernatural Probabilities

More information about the Users mailing list