[Openswan Users] Probelm with host reachability when ipsectunnelis operational

Gömöri Zoltán suf at freemail.hu
Thu Jul 21 23:05:02 CEST 2005


Hi Greg,

> Yes, I believe you are right; I've determined essentially the same  
> thing:  the ipsec tunnel is not ignoring the local subnet when it  
> grabs packets to send down the tunnel:  everything in 
> 10.0.0.0/8 gets  
> caught, instead of 10.0.0.0/8 minus 10.x.0.0/16 (the local subnet).   
> I know there must be a way around this that doesn't involve patching  
> netfilter, although I'll give that a try if nobody else has a  
> suggestion for a simpler fix in openswan.

If you want I can give you a simpler fix, but I was not satisfied with it.
Lower the MTU size on all of the machines on the remote site to 1444 bytes.
The result of the behaviour sending packets originated on the local ip of
the remote gateway is breaking the PMTU discovery procedure.
I discovered this in the following setup:
I have an XP machine on the remote site. I was connecting this machine
from the central site with RDP. I was geting an empty blue screen on the
RDP client and after a few minutes it disconnected.
I checked the logs and found that the connection went correctly until
the XP on the remote site started to send 1500byte packets with DF bit set.
The remote gateway responded to the packets with ICMP type 3 code 4 packet
indicating to lower the packet size or switch of the DF bit.
This ICMP packet NEVER arrive to the XP machine because the packet sent into
the tunnel and not to the local subnet.

The MTU size setting is an other workaround and not the solution.
I continously waiting for the solution. :-(

Zoltan




More information about the Users mailing list