[Openswan Users] stuck in STATE_MAIN_I3/STATE_MAIN_R2

Oskar Liljeblad oskar at osk.mine.nu
Wed Oct 13 12:20:07 CEST 2004

On Wednesday, October 13, 2004 at 18:27, Herbert Xu wrote:
> Actually I misread your packet dump.  The flag '+' above indicates that
> this is a fragment.  So it looks like something in the path can't deal
> with fragments.  This is confirmed by your ping results as 1473 is the
> smallest ICMP payload where you start getting fragments with an MTU of
> 1500.
> Do a traceroute from alpha to beta and ping -s 1473 each hop to discover
> where the problem is.

Thanks Herbert. There are some weird hops in the middle of the
traceroute (hops with 192.168-adresses) that I cannot ping at all.
I think those are the root of the problem, since I can't ping -s 1473
anything beyond them.

Is it acceptable that your ISP cannot deal with fragmented packets?
Is there anything else besides big pings and IPsec that will break
because of this? (I tried hping2 and I know it doesn't deal with
fragmented UDP packets either. Isn't it strange that other traffic
works well otherwise?) The reason I want to know is so that
I have a good case to present for my ISP...


Oskar Liljeblad (oskar at osk.mine.nu)

More information about the Users mailing list