[Openswan Users]
PMTU discovery problem, IMCP "need to fragment" messages originate
from wrong IP
Henning Holtschneider
henning at loca.net
Thu Mar 17 11:49:20 CET 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I'm running a VPN using Freeswan and Openswan. The setup looks like this:
LAN 1 (private address space)
|
Firewall 1 running Debian Sarge, Kernel 2.6.8, native IPsec stack, Openswan
2.3.0
|
Internet
|
Firewall 2 running SuSE Linux 7, Kernel 2.2.19, Freeswan 1.97 with X.509
patch
|
LAN 2 (private address space)
Establishing the connection between the two firewall machines works fine. I
can ping and send small packets from LAN 1 to LAN 2 and vice versa just fine.
But if the packages coming from LAN 2 are too big to fit through Firewall 1's
internet link, Firewall 1 will send IMCP unreachable (need to fragement)
messages back to LAN 1. According to tcpdump, the source address of the ICMP
packet is the public IP address of Firewall 1 and the destination address is
the private IP address on LAN 2. Thus, the IMCP unreachable messages don't
get through and PMTU discovery fails.
Is this a problem with my firewall rules on Firewall 1 (the problem also
occurs if iptables rules are turned off on the machine)? Is this a bug in the
kernel IPsec stack? Is this behaviour "by design"? Am I misunderstanding PMTU
discovery? I don't have that problem if I use KLIPS on both ends of the
connection which provides an ipsec0 virtual interface and thus seems to send
the ICMP messages correctly. Unfortunately, I couldn't tcpdump that case. Any
help would be appreciated!
Best regards,
Henning Holtschneider
- --
LocaNet oHG - http://www.loca.net
Lindemannstrasse 81, D-44137 Dortmund
tel +49 231 91596-25, fax +49 231 91596-55
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iEYEARECAAYFAkI5YLMACgkQP9goCV2uudeExQCeNbcjig4RhD92tg20up4lN1/f
RXgAnRcGdJ3hBAVKafSpDI/2b9hNRB5y
=dd1c
-----END PGP SIGNATURE-----
More information about the Users
mailing list