[Openswan Users] MTU problems.

Martin Wickman martin at wickman.com
Mon Sep 6 00:10:44 CEST 2004


Linux Openswan U2.1.5/K2.6.8.1- (native) (native) using x.509.

I've managed to setup a so-so working ipsec tunnel between my two 
networks. Both NAT'ed, local net is a dialup ADSL, remove end is static.

The major issues is related to sending and receiving _large_ packets. 
Using ethereal and others found out that the problem was MTU related.

I changed the MTU on my local machine to match the NAT-router I am using 
(ADSL with MTU 1454) using 'ifconfig eth0 mtu 1454'. That made it 
possible to _send_ any packets without any problems. Problem is that I 
can only receive packets smaller than (I think) 1325 bytes from the 
office network. Trying anything larger than that results in a stalled 
connection. My guess is that fiddling with different MTU values will fix 
this eventually, but:

1. How is it possible that my tunnel works without having made _any_ 
changes to the firewall/NAT-gateway. That is, nothing ipsec-related has 
been enabled in the firewall.

2. Would fixing the firewall to forward the public ipsec-ports (TCP-50, 
UDP-500 or whatnot) to my machine help me with this problem?

3. I have no ipsec0 interface so I have to change MTU manually on eth0. 
Is there a better way to do this? (overridemtu did not help).

4. It seems an awful lot of work to get the MTU-values to match on all 
involved networks (my ADSL vs. the office network). Is there a better 
way to fix this?

/Thanks alot for any hints!

More information about the Users mailing list