[Openswan Users] Some kind of fragmentation or MTU problem

Robin Cornelius robin at cornelius.demon.co.uk
Thu Jun 16 20:27:20 CEST 2005

Hi Guys, having a problem on Deban Sarge with openswan (sarge's 2.6.8 kernel 
and Debian's openswan 2.2.0)

My set up is like this ->

my PC (real internet address)			        |-------- 
x.x.x.x					     (adsl)		| 
	       (internet)	        			(VPN) is the VPN server. So there is a tunnel from "My pc" to Or in case two MY PC is behind a NAT. 

Either way I can create a tunnel from my pc to, i can ping with my pc being either debian/openswan or winXP.

I can access everything on and the reset of the subnet no 
problems but if i try to access anything real on it breaks.

I.e i can access http/pop3/smb on but NOT on The 
connections just hang, Ping results for are intresting however :-

ping -s 30000  (all OK)

debian:/home/robin# ping -s 40000
PING ( 40000(40028) bytes of data.
40008 bytes from icmp_seq=1 ttl=64 time=2855 ms
40008 bytes from icmp_seq=3 ttl=64 time=2831 ms
40008 bytes from icmp_seq=4 ttl=64 time=3340 ms
40008 bytes from icmp_seq=8 ttl=64 time=2864 ms

or nothing at all.

if i ssh to and try dmesg it locks the terminal. BUT if i ssh to THEN to it is OK.

This implyies a MTU type problem, BUT i can't change the mtu!, the mtu on's eth0 interface is 1400, if this is at the standard 1500 then 
access to the subnet (eg breaks, which is understandable. If i 
reduce the mtu futher then I also limit the size of the ESP packets and hence 
always have a MTU problem for direct access to

What can i do?

Can iptables claiming rules help me here? 

Can i force the MTU somehow? i don't have a physical interface to set on as that IS the tunnel endpoing.

Any ideas greatly recieved

Many thanks

Robin Cornelius
robin at cornelius.demon.co.uk
GPG Key ID: 0x729A79A23B7EE764
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20050616/fc9fab61/attachment.bin

More information about the Users mailing list