[Openswan Users] Probelm with host reachability when ipsectunnelis operational

Greg McGuire greg at greganem.com
Fri Jul 22 15:04:07 CEST 2005

An update:

I was able to get everything working properly by backing off to  
kernel 2.4.27 and using KLIPS instead.  On Debian you need to apt-get  
and compile the openswan-module-source (as I'm sure you all know).   
This works quite well.  I guess this is one reason to choose KLIPS  
over NETKEY at the moment, if you happen to have a hub/spoke routing  
configuration like this.


On Jul 21, 2005, at 3:05 PM, Gömöri Zoltán wrote:

> Hi Greg,
>> Yes, I believe you are right; I've determined essentially the same
>> thing:  the ipsec tunnel is not ignoring the local subnet when it
>> grabs packets to send down the tunnel:  everything in
>> gets
>> caught, instead of minus 10.x.0.0/16 (the local subnet).
>> I know there must be a way around this that doesn't involve patching
>> netfilter, although I'll give that a try if nobody else has a
>> suggestion for a simpler fix in openswan.
> If you want I can give you a simpler fix, but I was not satisfied  
> with it.
> Lower the MTU size on all of the machines on the remote site to  
> 1444 bytes.
> The result of the behaviour sending packets originated on the local  
> ip of
> the remote gateway is breaking the PMTU discovery procedure.
> I discovered this in the following setup:
> I have an XP machine on the remote site. I was connecting this machine
> from the central site with RDP. I was geting an empty blue screen  
> on the
> RDP client and after a few minutes it disconnected.
> I checked the logs and found that the connection went correctly until
> the XP on the remote site started to send 1500byte packets with DF  
> bit set.
> The remote gateway responded to the packets with ICMP type 3 code 4  
> packet
> indicating to lower the packet size or switch of the DF bit.
> This ICMP packet NEVER arrive to the XP machine because the packet  
> sent into
> the tunnel and not to the local subnet.
> The MTU size setting is an other workaround and not the solution.
> I continously waiting for the solution. :-(
> Zoltan
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list