[Openswan Users] pmtu discovery on SA

[martin f krafft]

I have a couple of IPsec peers and some road warriors, and I am
experiencing severe performance troubles when transfering large
amounts of data from the road warriors to the IPsec "servers" (those
with static IPs). Transfer speeds drop to below 10 kbps, and
messages like 

  kernel: pmtu discovery on SA ESP/e4425f13/d9e930f4

appear in the kern.log on the "servers". I am not sure whether the
two are related, but they seem to take place at the same time...

Has anyone seen this before?

Here is the road warrior configuration:

  conn piper.madduck.net
    left=%defaultroute
    leftcert=/etc/ssl/certs/cirrus.madduck.net.crt
    authby=rsasig
    rightrsasigkey=%cert
    right=piper.madduck.net
    rightid="C=CH, ST=ZH, L=Zurich, O=madduck.net, CN=piper.madduck.net/emailAddss=hostmaster at piper.madduck.net"
    leftsubnet=192.168.14.0/24
    leftsourceip=192.168.14.1
    auto=start

and here the corresponding connection on piper.madduck.net:

  conn cirrus.madduck.net
    left=%defaultroute
    leftcert=/etc/ssl/certs/piper.madduck.net.crt
    authby=rsasig
    rightrsasigkey=%cert
    right=%any
    rightid="C=CH, ST=ZH, L=Zurich, O=madduck.net, CN=cirrus.madduck.net/emailAddress=hostmaster at cirrus.madduck.net"
    rightsubnet=192.168.14.0/24
    auto=add

Thanks for any comments.

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: madduck.bogus at madduck.net
 
"eine schlechte sache erregt, eine gute verträgt viel kritik."
                                                    -- charles tschopp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20050322/7cb79152/attachment.bin