[Openswan Users] packets freeze
Rolf Offermanns
roffermanns at sysgo.com
Mon Feb 21 12:42:08 CET 2005
On Monday 21 February 2005 12:24, Paul Overton wrote:
> Jef,
>
> I have seen this a number of times, particularly with ADSL and Wireless
> networks. In principle the MTU of many of these connections should be 1500
> bytes, but in practice it is often in the region of 1400...
Only Ethernet has a MTU of 1500. For pppoe it's usually 1492 and the
*required* MTU size that must be supported by a TCP/IP stack is as low as 576
(IIRC). So anything betweem may happen on the packets way through the
Internet.
>
> Many Ipsec tunnels also have a restriction in MTU size, which will only
> serve to compound the problem, normally, however, the TCP stack will use an
> ICMP mtu resize packet to inform each end that the MTU is to large and ask
> for a re-negotiate.
While this is correct, unfortunately the 2.6er IPSec stack does not support
PMTU (yet).
> This will usually resolve the MTU problem, however, if
> your source, destination (Ipsec) or any other inline device (Normal
> network) has all ICMP packets blocked then this normal process will not
> work. In the latter case the only solution is to manually reduce the MTU
> size of either end of the VPN.
That's my experience, too.
You may also try to set the MTU size based on the destination using the
iproute2 utility.
ip route add x.x.x.x via y.y.y.y mtu 1400
Something like this should set the mtu for packets to x.x.x.x via gateway
y.y.y.y to 1400. The exact parameters may be slightly different.
HTH,
Rolf
--
Rolf Offermanns <roffermanns at sysgo.com>
SYSGO AG Tel.: +49-6136-9948-0
Am Pfaffenstein 14 Fax: +49-6136-9948-10
55270 Klein-Winternheim http://www.sysgo.com
More information about the Users
mailing list