[Openswan Users] PMTU discovery problem, IMCP "need to fragment" messages originate from wrong IP

Henning Holtschneider henning at loca.net
Thu Mar 17 11:49:20 CET 2005

Hash: SHA1


I'm running a VPN using Freeswan and Openswan. The setup looks like this:

LAN 1 (private address space)
Firewall 1 running Debian Sarge, Kernel 2.6.8, native IPsec stack, Openswan 
Firewall 2 running SuSE Linux  7, Kernel 2.2.19, Freeswan 1.97 with X.509 
LAN 2 (private address space)

Establishing the connection between the two firewall machines works fine. I 
can ping and send small packets from LAN 1 to LAN 2 and vice versa just fine. 
But if the packages coming from LAN 2 are too big to fit through Firewall 1's 
internet link, Firewall 1 will send IMCP unreachable (need to fragement) 
messages back to LAN 1. According to tcpdump, the source address of the ICMP 
packet is the public IP address of Firewall 1 and the destination address is 
the private IP address on LAN 2. Thus, the IMCP unreachable messages don't 
get through and PMTU discovery fails.

Is this a problem with my firewall rules on Firewall 1 (the problem also 
occurs if iptables rules are turned off on the machine)? Is this a bug in the 
kernel IPsec stack? Is this behaviour "by design"? Am I misunderstanding PMTU 
discovery? I don't have that problem if I use KLIPS on both ends of the 
connection which provides an ipsec0 virtual interface and thus seems to send 
the ICMP messages correctly. Unfortunately, I couldn't tcpdump that case. Any 
help would be appreciated!

Best regards,
Henning Holtschneider
- --
LocaNet oHG - http://www.loca.net
Lindemannstrasse 81, D-44137 Dortmund
tel +49 231 91596-25, fax +49 231 91596-55
Version: GnuPG v1.2.5 (GNU/Linux)


More information about the Users mailing list