[Openswan Users] OpenSWAN / Native 2.6 IPSec: MTU / PMTUD woes

Jan Koop ceb at cbct.de
Mon Feb 7 11:26:31 CET 2005 

Hi list,

I just wanted to share my partially horrifying experience with Native 
2.6 Kernel IPSec, OpenSWAN and path MTU discovery (PTMUD) with the list.

Problem description: Large packets near LAN MTU (1500) get dropped when 
passing tunnel (with the DF flag set), TCP sessions hang (e.g. ssh-login 
OK, 'ls' works, but cat'ting a large file makes the terminal hang), the 
effect on UDP connections is unknown to me.

I tracked the problem down to some kind of MTU issue, usually with KLIPS 
under kernel 2.4 I used parameters like overridemtu to control such 
issues when necessary, but that only applies to KLIPS with its ipsecN 
interfaces. Under kernel 2.6 native ipsec pmtud with ipsec is reported 
to be broken in the posts i dug out.
I found a partial solution, only for TCP, namely MSS clamping with 
netfilter. This did work, but a particular UDP application still wasn't 
working. On the search for a solution I came across a way to achieve a 
"overridemtu"-like behavior. This didn't solve the problem with the 
UDP-dependant application though :( , but can be used as an alternative 
to MSS clamping.
I just modified the _updown script to set the mtu to 1412 (hopefully 
enough room for all overheads to come) on the routes it sets up.

diff:
------------------------------------------------------------------------------------------------------- 
/usr/lib/ipsec/_updown      2005-01-06 13:55:08.000000000 +0100
+++ /root/bin/ipsec_updown.mtufix       2005-02-07 09:40:57.309394632 +0100
@@ -316,6 +316,9 @@
            parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
        fi

+       # fix MTU issues
+       parms3="$parms3 mtu 1412"
+
        case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
        "0.0.0.0/0.0.0.0")
                # opportunistic encryption work around
----------------------------------------------------------------------------------------------------

Maybe this wouldn't be bad to be controllable via ipsec.conf in some way 
like "if overridemtu is set, then if KLIPS, then set MTU on ipsecN 
interface, else set MTU on host/net route"

Well, this does work now for TCP. If I understand correctly, this is a 
static solution, while clamping the MSS to the pmtu would be more dynamic.

I will have to look in other places for a fix to the UDP problem - if 
anyone has any idea why apple remote desktop shows a mouse pointer, but 
no graphics after the connection succeeded - please share it with me ;). 
It used to work with a 2.4 / KLIPS-based gateway, but when i switched 
over to 2.6 native IPSec the woes began.

Bye,
Jan

More information about the Users mailing list