[Openswan Users] Extruded subnet problem
paul at xelerance.com
Fri Jun 24 23:40:50 CEST 2005
On Fri, 24 Jun 2005, [iso-8859-2] Gömöri Zoltán wrote:
> When I start the vpn connection, I can't even ping the right gateway
> internal ethernet connection (eth1 10.15.14.1) from the right subnet, but I
> can ping the machines in the various subnets from the right subnet. It not
Either add a host-subnet and subnet-host connection to your subnet-subnet connection,
or specify the local IP of the servers using lefr/rightsourceip=
> the major problem, but when I try to connect with an RDP client a Windows XP
> in the right subnet from any of the right subnets, I get an empty blue
> screen and it drops the connection after a while. When I generated some logs
> I realized what happening. After the connection request the Windows XP in
> the right side sent an 1500 byte length packet, the right gateway responded
> with an ICMP type 3 code 4 packet directing the XP machine to send 1444 byte
> packet as maximum (1500 byte - 56 byte IPSEC header), but this packet never
> reached the XP machine because the right gateway sent this packet thru the
> tunnel instead of the right subnet.
> The two related routes from the routing table:
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 10.15.14.0 * 255.255.255.0 U 0 0 0 eth1
> 10.0.0.0 m.n.o.p 255.0.0.0 UG 0 0 0 eth0
> If I'm correct the first route has to have priority over the second one, but
> the packets not travel according this.
You are using NETKEY, which grabs the packet somewhere deep in the packet pie,
and releases it somewhere else in the packet pie.
You can either try to lower the mtu on the Windows machines, or you can try
to run Herbert Xu's patch, which still needs to be incorporated into CVS
that addresses this issue by disabling some of the PMTU functionality.
See http://bugs.xelerance.com/view.php?id=344 for the patch. I would be
interested to know if this patch fixes your problem.
More information about the Users