[Openswan Users] ping works but others applications don't
phr at cdm.smis.ch
Thu Jan 27 19:58:33 CET 2005
Hello all on the list,
I'm having the same problem. I have a Debian sarge 2.6.9 and openswan
My client is a WinXP. I can open the vpn and ping a remote host in my net,
and also with a size from 8192 bytes. I get them back.
But if I try to use WinVNC or an other big application (Outlook), I get this
in my kern.log:
kernel: pmtu discovery on SA ESP/1f0c6ebb/534c0433
last message repeated 4 times
I this normal ? I don't understand what I have to change about PMTU. Can
someone help me ?
Thanks in advance !
De: Paulo Ricardo Bruck
A: users at openswan.org
Date: 27.01.05 16:46
Objet: Re: [Openswan Users] ping works but others applications don't
Em Qua, 2005-01-26 às 13:12 +0100, Paul Wouters escreveu:
> On Tue, 25 Jan 2005, Glover George wrote:
> > Hi, I get the same problem as well, but most people write it off ass
> > mtu problems. I have exactly the same symptons, just on fedora core
> > 3. There must be some step missing from the documentation that
> > everyone else "knows" about. When you perform the ping and it comes
> > back, but nothing else does, ....do you see "any" replies coming
> > to the machine on the original subnet? Although nothing other than
> > ping works for me, i do see some packet replies (with tcpdump on the
> > original sending machine) come all the way back, but can't figure
> > why the applications aren't seeing it.
> - Make sure the xfrm4_tunnel kernel module is loaded, or disable
> - overridemtu= is not supported for NETKEY
ok disabling overridemtu
ok disabling compression
> - PMTU is not supported by NETKEY, you can try tcpmiss clamping.
you mean :
This matches the TCP MSS (maximum segment size) field of the TCP
You can only use this on TCP SYN or SYN/ACK packets, since the
only negotiated during the TCP handshake at connection startup
[!] --mss value[:value]"
Match a given TCP MSS value or range.
> - Try KLIPS instead of NETKEY if you have these problems. Do not use
> kernel sources for this, since one of their patches causes KLIPS to
> your machine. We have not yet pinned this change down.
> Indeed, this question has come to this list for many times since
> serious usage as a result of Openswan being included into Fedora Core.
Hi Paul, Glover and list
There is something strange cause I can see packets coming and going from
both machines but I can't , using lynx for example at another lan , see
any page from My desktop w/ apache ....
I don't use fedora . I use debian sarge + openswan.
thanks in advanced
Paulo Ricardo Bruck - consultor
Contato Global Solutions
tel 011 5031-4932 fone/fax 011 5034-1732 cel 011 9235-4327
Users mailing list
Users at openswan.org
More information about the Users