[Openswan Users] ping works but others applications don't
Paul Wouters
paul at xelerance.com
Thu Jan 27 20:22:42 CET 2005
On Thu, 27 Jan 2005, RITTER, Philippe wrote:
> My client is a WinXP. I can open the vpn and ping a remote host in my net,
> and also with a size from 8192 bytes. I get them back.
Try changing the mtu on the windows box:
http://www.winguides.com/registry/display.php/280/
Lower the mtu to 1400.
> in my kern.log:
> kernel: pmtu discovery on SA ESP/1f0c6ebb/534c0433
> last message repeated 4 times
Oh good, it logs the message now. I wonder if the kernel people are now working on
implementing pmtu for ipsec. I really hope so....
On the openswan gateway you can try:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Or if that fails:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
Or try using KLIPS instead of NETKEY (but KLIPS currently does not have NAT-T on the
2.6 kernel)
Paul
More information about the Users
mailing list