[Openswan Users] ping works but others applications don't

RITTER, Philippe phr at cdm.smis.ch
Thu Jan 27 19:58:33 CET 2005

Hello all on the list,

I'm having the same problem. I have a Debian sarge 2.6.9 and openswan

My client is a WinXP. I can open the vpn and ping a remote host in my net,
and also with a size from 8192 bytes. I get them back.

But if I try to use WinVNC or an other big application (Outlook), I get this
in my kern.log: 
kernel: pmtu discovery on SA ESP/1f0c6ebb/534c0433
last message repeated 4 times

I this normal ? I don't understand what I have to change about PMTU. Can
someone help me ?

Thanks in advance !

Best regards
Philippe RITTER
-----Message d'origine-----
De: Paulo Ricardo Bruck
A: users at openswan.org
Date: 27.01.05 16:46
Objet: Re: [Openswan Users] ping works but others applications don't

Em Qua, 2005-01-26 às 13:12 +0100, Paul Wouters escreveu:
> On Tue, 25 Jan 2005, Glover George wrote:
> > Hi, I get the same problem as well, but most people write it off ass
> > mtu problems.  I have exactly the same symptons, just on fedora core
> > 3.  There must be some step missing from the documentation that
> > everyone else "knows" about.  When you perform the ping and it comes
> > back, but nothing else does, ....do you see "any" replies coming
> > to the machine on the original subnet?  Although nothing other than
> > ping works for me, i do see some packet replies (with tcpdump on the
> > original sending machine) come all the way back, but can't figure
> > why the applications aren't seeing it.
> - Make sure the xfrm4_tunnel kernel module is loaded, or disable
> - overridemtu= is not supported for NETKEY

ok disabling overridemtu
ok disabling compression

> - PMTU is not supported by NETKEY, you can try tcpmiss clamping.
you mean :
       This matches the TCP MSS (maximum segment size) field of the TCP
       You  can  only  use this on TCP SYN or SYN/ACK packets, since the
MSS is
       only negotiated during the TCP handshake at connection startup

       [!] --mss value[:value]"
              Match a given TCP MSS value or range.

> - Try KLIPS instead of NETKEY if you have these problems. Do not use
>    kernel sources for this, since one of their patches causes KLIPS to
>    your machine. We have not yet pinned this change down.
> Indeed, this question has come to this list for many times since
> serious usage as a result of Openswan being included into Fedora Core.
> Paul

Hi Paul, Glover and list

There is something strange cause I can see packets coming and going from
both machines but I can't , using lynx for example at another lan , see
any page from My desktop w/ apache ....
I don't use fedora . I use debian sarge + openswan.

thanks in advanced

Paulo Ricardo Bruck - consultor
Contato Global Solutions
tel 011 5031-4932  fone/fax 011 5034-1732  cel 011 9235-4327

Users mailing list
Users at openswan.org

More information about the Users mailing list