[Openswan Users] Probelm with host reachability when
ipsectunnelis operational
Greg McGuire
greg at greganem.com
Fri Jul 22 15:04:07 CEST 2005
An update:
I was able to get everything working properly by backing off to
kernel 2.4.27 and using KLIPS instead. On Debian you need to apt-get
and compile the openswan-module-source (as I'm sure you all know).
This works quite well. I guess this is one reason to choose KLIPS
over NETKEY at the moment, if you happen to have a hub/spoke routing
configuration like this.
Regards,
Greg
On Jul 21, 2005, at 3:05 PM, Gömöri Zoltán wrote:
> Hi Greg,
>
>
>> Yes, I believe you are right; I've determined essentially the same
>> thing: the ipsec tunnel is not ignoring the local subnet when it
>> grabs packets to send down the tunnel: everything in
>> 10.0.0.0/8 gets
>> caught, instead of 10.0.0.0/8 minus 10.x.0.0/16 (the local subnet).
>> I know there must be a way around this that doesn't involve patching
>> netfilter, although I'll give that a try if nobody else has a
>> suggestion for a simpler fix in openswan.
>>
>
> If you want I can give you a simpler fix, but I was not satisfied
> with it.
> Lower the MTU size on all of the machines on the remote site to
> 1444 bytes.
> The result of the behaviour sending packets originated on the local
> ip of
> the remote gateway is breaking the PMTU discovery procedure.
> I discovered this in the following setup:
> I have an XP machine on the remote site. I was connecting this machine
> from the central site with RDP. I was geting an empty blue screen
> on the
> RDP client and after a few minutes it disconnected.
> I checked the logs and found that the connection went correctly until
> the XP on the remote site started to send 1500byte packets with DF
> bit set.
> The remote gateway responded to the packets with ICMP type 3 code 4
> packet
> indicating to lower the packet size or switch of the DF bit.
> This ICMP packet NEVER arrive to the XP machine because the packet
> sent into
> the tunnel and not to the local subnet.
>
> The MTU size setting is an other workaround and not the solution.
> I continously waiting for the solution. :-(
>
> Zoltan
>
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
More information about the Users
mailing list