[Openswan Users] packets freeze

Rolf Offermanns roffermanns at sysgo.com
Mon Feb 21 12:42:08 CET 2005

On Monday 21 February 2005 12:24, Paul Overton wrote:
> Jef,
> I have seen this a number of times, particularly with ADSL and Wireless
> networks. In principle the MTU of many of these connections should be 1500
> bytes, but in practice it is often in the region of 1400...
Only Ethernet has a MTU of 1500. For pppoe it's usually 1492 and the 
*required* MTU size that must be supported by a TCP/IP stack is as low as 576 
(IIRC). So anything betweem may happen on the packets way through the 

> Many Ipsec tunnels also have a restriction in MTU size, which will only
> serve to compound the problem, normally, however, the TCP stack will use an
> ICMP mtu resize packet to inform each end that the MTU is to large and ask
> for a re-negotiate. 

While this is correct, unfortunately the 2.6er IPSec stack does not support 
PMTU (yet).

> This will usually resolve the MTU problem, however, if 
> your source, destination (Ipsec) or any other inline device (Normal
> network) has all ICMP packets blocked then this normal process will not
> work. In the latter case the only solution is to manually reduce the MTU
> size of either end of the VPN.

That's my experience, too.
You may also try to set the MTU size based on the destination using the 
iproute2 utility.

ip route add x.x.x.x via y.y.y.y mtu 1400

Something like this should set the mtu for packets to x.x.x.x via gateway 
y.y.y.y to 1400. The exact parameters may be slightly different.

Rolf Offermanns <roffermanns at sysgo.com>
SYSGO AG     Tel.: +49-6136-9948-0
Am Pfaffenstein 14   Fax: +49-6136-9948-10
55270 Klein-Winternheim  http://www.sysgo.com

More information about the Users mailing list