[Openswan Users] ping works but others applications don't

Paul Wouters paul at xelerance.com
Thu Jan 27 20:22:42 CET 2005

On Thu, 27 Jan 2005, RITTER, Philippe wrote:

> My client is a WinXP. I can open the vpn and ping a remote host in my net,
> and also with a size from 8192 bytes. I get them back.

Try changing the mtu on the windows box:

Lower the mtu to 1400.

> in my kern.log:
> kernel: pmtu discovery on SA ESP/1f0c6ebb/534c0433
> last message repeated 4 times

Oh good, it logs the message now. I wonder if the kernel people are now working on
implementing pmtu for ipsec. I really hope so....

On the openswan gateway you can try:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu

Or if that fails:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440

Or try using KLIPS instead of NETKEY (but KLIPS currently does not have NAT-T on the
2.6 kernel)


More information about the Users mailing list