[Openswan Users] Problems with Large Packets? - ps ax hangs in ssh - tunnel over wireless network

Tomasz Grzelak tgrzelak at wktpolska.com.pl
Wed Apr 20 21:07:28 CEST 2005 

Markus Meissner wrote:

>>first read some articles, they may give you some answers and/or more
>>light on the case: 
>>
>>http://www.netheaven.com/pmtu.html
>>http://alive.znep.com/~marcs/mtu/
> 
> 
> Thanks for the quick response. I think I have now understood the mtu
> problem.
> 
>>check if you allow to pass icmp responsible for the MTU discovery; maybe
>>you block them, and if you let them through it would solve the problem...
>>maybe...  
> 
> 
> Checked by disableing the whole firewall, setting all to ACCEPT. No change.

check that you accept icmp packets on all interfaces; run tcpdump to see 
if they go
If I understand the articles well you should see the icmp [type 3, code 
4] packets
I didn't check it by myself on my server 'cause I managed to make it 
work with the MSS rule

>>On the other hand you have another choice that worked for me - add the
>>following rules to the iptables script: 
>>
>>$IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1416
>>
>>(apply it for all packets going through the tunnel) I know it does not
>>solve the problem for the upd "big" packets, but for tcp connections it
>>really suites my needs.  
> 
> 
> It would suite my needs, too, but it doesn't work. I have added the rule on
> both gateways and checked that they have catched some packets, but I have
> still the same effect. 

check again and see if the MSS rule is really executed; place the rule 
at the top of your iptables script
it's very easy to make such a mistake 'cause if you ACCEPT a packet 
first it will have no chance to match another rule - so make the MSS 
rule the first rule, and after that ACCEPT a packet

if still no success try to lower the mss value to 1400 or much lower, 
for example 1200, just to see if it works then

> Uah, 10 minutes later =) I have set the mtu on the client (the ssh-server)
> to 1413 and it works! What I don't understand is that I have to set the mtu
> on the "client" and one hop later, on the gateway, it doesn't work.

avoid this; changing mtu on all LAN interfaces is the last thing you 
should do; forget about it
try to find a solution not affecting hosts in LANs
IPSec should be transparent to hosts making connections

use google and try to find another archivized mails about vpn, ipsec 
encapsulation and mtu

Good Luck!
Tomasz Grzelak

More information about the Users mailing list