[Openswan Users] packets freeze

Paul Overton paul at trusted-management.com
Mon Feb 21 11:24:57 CET 2005


Jef,

I have seen this a number of times, particularly with ADSL and Wireless
networks. In principle the MTU of many of these connections should be 1500
bytes, but in practice it is often in the region of 1400... 

Many Ipsec tunnels also have a restriction in MTU size, which will only
serve to compound the problem, normally, however, the TCP stack will use an
ICMP mtu resize packet to inform each end that the MTU is to large and ask
for a re-negotiate. This will usually resolve the MTU problem, however, if
your source, destination (Ipsec) or any other inline device (Normal network)
has all ICMP packets blocked then this normal process will not work. In the
latter case the only solution is to manually reduce the MTU size of either
end of the VPN.

In windows this is a registry tweak. It is probably better to find a Windows
utility to make these changes. This type of fix is not for most users
though.

Paul



-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of jef peeraer
Sent: 19 February 2005 12:42
To: users at openswan.org
Subject: [Openswan Users] packets freeze

for the moment i am a happy openswan user ( latest version ), which runs on
a gateway now and serves up to 16 roadwarriors, thanks for the avice of
people on irc and newsgroup !! 
yesterday i did another install of a roadwarrior, setup some tunnels,
pinging was ok, for both sides, i was editing a file via the tunnel, and
everything frooze. tried a ping with great size, did't get through it. new
installation is a isdn/adsl connection. i read something about this MTU
parameter. can i adjust it for that tunnel, or do i have to fiddle with the
modem/routers ?


jef peeraer
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.
MailScanner thanks transtec Computers for their support.




More information about the Users mailing list