[Openswan Users] Problems with Large Packets? - ps ax hangs in ssh - tunnel over wireless network

Norbert Wegener nw at sbs.de
Wed Apr 20 22:03:52 CEST 2005 

We had a similar problem in some countries. It turned out, that setting 
the mtu size of the eth device to 1366 and additionally overridemtu 
=1366 solved that problem for us.
Norbert Wegener


Tomasz Grzelak wrote:

> Markus Meissner wrote:
>
>>> first read some articles, they may give you some answers and/or more
>>> light on the case:
>>> http://www.netheaven.com/pmtu.html
>>> http://alive.znep.com/~marcs/mtu/
>>
>>
>>
>> Thanks for the quick response. I think I have now understood the mtu
>> problem.
>>
>>> check if you allow to pass icmp responsible for the MTU discovery; 
>>> maybe
>>> you block them, and if you let them through it would solve the 
>>> problem...
>>> maybe...  
>>
>>
>>
>> Checked by disableing the whole firewall, setting all to ACCEPT. No 
>> change.
>
>
> check that you accept icmp packets on all interfaces; run tcpdump to 
> see if they go
> If I understand the articles well you should see the icmp [type 3, 
> code 4] packets
> I didn't check it by myself on my server 'cause I managed to make it 
> work with the MSS rule
>
>>> On the other hand you have another choice that worked for me - add the
>>> following rules to the iptables script:
>>> $IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1416
>>>
>>> (apply it for all packets going through the tunnel) I know it does not
>>> solve the problem for the upd "big" packets, but for tcp connections it
>>> really suites my needs.  
>>
>>
>>
>> It would suite my needs, too, but it doesn't work. I have added the 
>> rule on
>> both gateways and checked that they have catched some packets, but I 
>> have
>> still the same effect. 
>
>
> check again and see if the MSS rule is really executed; place the rule 
> at the top of your iptables script
> it's very easy to make such a mistake 'cause if you ACCEPT a packet 
> first it will have no chance to match another rule - so make the MSS 
> rule the first rule, and after that ACCEPT a packet
>
> if still no success try to lower the mss value to 1400 or much lower, 
> for example 1200, just to see if it works then
>
>> Uah, 10 minutes later =) I have set the mtu on the client (the 
>> ssh-server)
>> to 1413 and it works! What I don't understand is that I have to set 
>> the mtu
>> on the "client" and one hop later, on the gateway, it doesn't work.
>
>
> avoid this; changing mtu on all LAN interfaces is the last thing you 
> should do; forget about it
> try to find a solution not affecting hosts in LANs
> IPSec should be transparent to hosts making connections
>
> use google and try to find another archivized mails about vpn, ipsec 
> encapsulation and mtu
>
> Good Luck!
> Tomasz Grzelak
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list