[Openswan Users] Kernel 2.6.10 solved fragmentation issue for me

Christoph Haas email at christoph-haas.de
Sat Apr 30 21:34:24 CEST 2005

Dear community... :)

I had refused to migrate from my stoneaged FreeS/WAN setup to OpenS/WAN
because I experienced problems with large packets through the tunnel
(besides from ugly crashes with the net-snmpd software). This seems to
have been a problem with not treating the "need to fragment" message
correctly. Connections with "large packets" were just stuck. The last
message in a 'tetheral' dump were "IP Fragmented IP protocol". It
happened when doing data transfers that hit the MTU. Working through SSH
worked. Copying data with 'scp' stuck. RDP connections stuck, too.

Then I found a posting from Herbert Xu on this list as a reply to
someone having the same problem as me. He suggested to try the Linux
kernel 2.6.10. And voila - it seems to have been resolved finally.
So it probably wasn't an OpenS/WAN problem after all. Just wanted to
drop a note for those who suffered from the same problem. 2.6.8 doesn't
make it either.

Btw, are there any news on NAT'ed connections with the IPSEC stack from
the Linux kernel? I understood that KLIPS would be needed to run VPNs
from NAT'ed gateways. Wasn't KLIPS supposed to be replaced by the
kernel's IPSEC stack? Maybe I got this wrong but I found the
documentation a bit confusing since FreeS/WAN started to fall apart.
What is the status here? I have fixed IP addresses here. But my
coworkers do not - they just get a single dynamic IP address assigned by
their ISP and need to NAT their internal networks. And I'd like to help
them move to OpenS/WAN, too.

Hope this helped anyone...

".signature" [Modified] 3 lines --100%--                3,41         All

More information about the Users mailing list