[Openswan Users] Kernel 2.6.10 solved fragmentation issue for me

Paul Wouters paul at xelerance.com
Sun May 1 17:40:48 CEST 2005


On Sat, 30 Apr 2005, Christoph Haas wrote:

> I had refused to migrate from my stoneaged FreeS/WAN setup to OpenS/WAN
> because I experienced problems with large packets through the tunnel
> (besides from ugly crashes with the net-snmpd software). This seems to
> have been a problem with not treating the "need to fragment" message
> correctly. Connections with "large packets" were just stuck. The last
> message in a 'tetheral' dump were "IP Fragmented IP protocol". It
> happened when doing data transfers that hit the MTU. Working through SSH
> worked. Copying data with 'scp' stuck. RDP connections stuck, too.
>
> Then I found a posting from Herbert Xu on this list as a reply to
> someone having the same problem as me. He suggested to try the Linux
> kernel 2.6.10. And voila - it seems to have been resolved finally.

Thanks for the feedback!

> Btw, are there any news on NAT'ed connections with the IPSEC stack from
> the Linux kernel? I understood that KLIPS would be needed to run VPNs
> from NAT'ed gateways.

There is NAT-T support with NETKEY, however the code is within the NETKEY
stack. Therefor when using KLIPS, this code is not available. The Openswan
NAT-T patch instead patches the core udp routines, and as such as not 'part'
of KLIPS. A lot of NAT-T for KLIPS on 2.6 is being developed now, try CVS
or wait for 2.3.2.

> Wasn't KLIPS supposed to be replaced by the kernel's IPSEC stack?

In an ideal world, we would have one stack. Unfortunately, both stacks
have their limitations, and so there is a demand for both stacks at
this point.

> What is the status here? I have fixed IP addresses here. But my
> coworkers do not - they just get a single dynamic IP address assigned by
> their ISP and need to NAT their internal networks. And I'd like to help
> them move to OpenS/WAN, too.

NETKEY supports NAT-T, but because of the path MTU problems, it has been
mostly unusable for people. As you found out, this might have been fixed
by now. But especially when encapulating IPsec packets into UDP packets,
which is what NAT-T does, these fragmentation and mtu issues surface.

Paul


More information about the Users mailing list