[Openswan Users] Problems with Large Packets? - ps ax hangs in ssh - tunnel over wireless network

Markus Meissner mlist at meissner.IT
Wed Apr 20 17:26:58 CEST 2005


I have a very odd problem with a new tunnel. In quick words: I have a tunnel
for two subnets over a wireless-link. Without the tunnel everything works
like a charm, fast and reliable. After setting up the tunnel everything
looks ok, I can ping a host from one subnet to another and I can log in via
ssh. But if I try to execute commands on the remote host, the console
"hangs". The problem is 100% reproduceable with the following commands:

while true; do date; done -> creates much output, runs without problems
"ps ax" or "find /" hangs after a few letters. Always. Sometimes after 10
letters, sometimes after 100 letters, but never back again to my shell. 

Testing this on the console (with tunnel enabled) is ok, no problem. Testing
it without tunnel per ssh is ok, no problem. Other services like http or smb
behave the same: No problem without tunnel, hangs with tunnel.

I found a hint in the faq that this might be an MTU problem. I tried to set
overridemtu=1430 on both sides but is has no effects. 

So, please help me: I don't know where to debug this problem. What can I do?

Both vpn-routers are Debian Sarge with openswan 2.3.0-2 (tested
freeswan-2.04 before)
gw1: kernel 2.6.8-1-k7
gw2: kernel 2.4.27 and 2.6.11 tested
Host1: Debian sarge
Host2: Windows XP with putty
om: other machine with debian sarge, madwifi with wpa
ap: Netgear WG102 Access Point

Host1 <-> gw2 <-> om <-> ap <-> gw1 <-> host2

Starup-messages from /var/log/auth.log:
ipsec__plutorun: Starting Pluto subsystem...
pluto: Starting Pluto (Openswan Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
pluto: Setting port floating to off
pluto: port floating activate 0/1
pluto:   including NAT-Traversal patch (Version 0.6c) [disabled]
pluto: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto: starting up 1 cryptographic helpers
pluto: started helper pid=5554 (fd:6)
pluto: Using Linux 2.6 IPsec interface code
pluto: Changing to directory '/etc/ipsec.d/cacerts'
pluto:   loaded CA cert file 'cacert.pem' (1436 bytes)
pluto:   loaded CA cert file 'ca...' (1127 bytes)
pluto: Could not change to directory '/etc/ipsec.d/aacerts'
pluto: Changing to directory '/etc/ipsec.d/ocspcerts'
pluto: Changing to directory '/etc/ipsec.d/crls'
pluto:   Warning: empty directory
pluto:   loaded host cert file '/etc/ipsec.d/certs/anton....pem' (1285
pluto:   loaded host cert file '/etc/ipsec.d/certs/moment...pem' (1139
pluto: added connection description "sr1-sr2"
pluto: listening for IKE messages
pluto: adding interface eth1/eth1
pluto: adding interface eth0/eth0
pluto: adding interface lo/lo
pluto: adding interface lo/lo ::1
pluto: loading secrets from "/etc/ipsec.secrets"
pluto:   loaded private key file '/etc/ipsec.d/private/moment...-key.pem'
(891 bytes)
pluto: "sr1-sr2" #1: initiating Main Mode
pluto: | no IKE algorithms for this connection
pluto: "sr1-sr2" #1: received Vendor ID payload [Dead Peer Detection]
pluto: "sr1-sr2" #1: transition from state STATE_MAIN_I1 to state
pluto: "sr1-sr2" #1: I am sending my cert
pluto: "sr1-sr2" #1: I am sending a certificate request
pluto: "sr1-sr2" #1: transition from state STATE_MAIN_I2 to state
pluto: "sr1-sr2" #1: Main mode peer ID is ID_DER_ASN1_DN: '...anton...'
pluto: "sr1-sr2" #1: no crl from issuer "...anton..." found (strict=no)
pluto: "sr1-sr2" #1: transition from state STATE_MAIN_I3 to state
pluto: "sr1-sr2" #1: ISAKMP SA established
pluto: "sr1-sr2" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP
{using isakmp#1}
pluto: "sr1-sr2" #2: transition from state STATE_QUICK_I1 to state
pluto: "sr1-sr2" #2: sent QI2, IPsec SA established {ESP=>0x8c5eea46

Beste Grüße / best regards Markus Meissner 

More information about the Users mailing list