[Openswan Users] packets freeze

jef peeraer jef.peeraer at pandora.be
Mon Feb 21 21:06:08 CET 2005


On maandag 21 februari 2005 12:42, Rolf Offermanns wrote:
> On Monday 21 February 2005 12:24, Paul Overton wrote:
> > Jef,
> >
> > I have seen this a number of times, particularly with ADSL and Wireless
> > networks. In principle the MTU of many of these connections should be
> > 1500 bytes, but in practice it is often in the region of 1400...
>
> Only Ethernet has a MTU of 1500. For pppoe it's usually 1492 and the
> *required* MTU size that must be supported by a TCP/IP stack is as low as
> 576 (IIRC). So anything betweem may happen on the packets way through the
> Internet.
i remember me  to see an MTU of arround 16000 on the old ipsec interfaces of 
freeswan. strange thing is, that is the same limit of the size of the packets 
that i can ping now, with openswan
>
> > Many Ipsec tunnels also have a restriction in MTU size, which will only
> > serve to compound the problem, normally, however, the TCP stack will use
> > an ICMP mtu resize packet to inform each end that the MTU is to large and
> > ask for a re-negotiate.
>
> While this is correct, unfortunately the 2.6er IPSec stack does not support
> PMTU (yet).
>
> > This will usually resolve the MTU problem, however, if
> > your source, destination (Ipsec) or any other inline device (Normal
> > network) has all ICMP packets blocked then this normal process will not
> > work. In the latter case the only solution is to manually reduce the MTU
> > size of either end of the VPN.
>
> That's my experience, too.
> You may also try to set the MTU size based on the destination using the
> iproute2 utility.
>
> ip route add x.x.x.x via y.y.y.y mtu 1400
>
> Something like this should set the mtu for packets to x.x.x.x via gateway
> y.y.y.y to 1400. The exact parameters may be slightly different.
>
> HTH,
> Rolf


More information about the Users mailing list