[Openswan Users] Extruded subnet problem

[Paul Wouters]

On Fri, 24 Jun 2005, [iso-8859-2] Gömöri Zoltán wrote:

> When I start the vpn connection, I can't even ping the right gateway
> internal ethernet connection (eth1 10.15.14.1) from the right subnet, but I
> can ping the machines in the various subnets from the right subnet. It not

Either add a host-subnet and subnet-host connection to your subnet-subnet connection,
or specify the local IP of the servers using lefr/rightsourceip=

> the major problem, but when I try to connect with an RDP client a Windows XP
> in the right subnet from any of the right subnets, I get an empty blue
> screen and it drops the connection after a while. When I generated some logs
> I realized what happening. After the connection request the Windows XP in
> the right side sent an 1500 byte length packet, the right gateway responded
> with an ICMP type 3 code 4 packet directing the XP machine to send 1444 byte
> packet as maximum (1500 byte - 56 byte IPSEC header), but this packet never
> reached the XP machine because the right gateway sent this packet thru the
> tunnel instead of the right subnet.
> The two related routes from the routing table:
>
> Destination   Gateway   Genmask        Flags Metric Ref  Use Iface
> 10.15.14.0    *         255.255.255.0  U     0      0      0 eth1
> 10.0.0.0      m.n.o.p   255.0.0.0      UG    0      0      0 eth0
>
> If I'm correct the first route has to have priority over the second one, but
> the packets not travel according this.

You are using NETKEY, which grabs the packet somewhere deep in the packet pie,
and releases it somewhere else in the packet pie.

You can either try to lower the mtu on the Windows machines, or you can try
to run Herbert Xu's patch, which still needs to be incorporated into CVS
that addresses this issue by disabling some of the PMTU functionality.

See http://bugs.xelerance.com/view.php?id=344 for the patch. I would be
interested to know if this patch fixes your problem.

Paul