[Openswan Users] ICMP Packet Size Limit?

Tomasz Grzelak tgrzelak at wktpolska.com.pl
Thu May 5 09:45:49 CEST 2005 

Phillip T. George wrote:
> It seems from a client perspective I can do even less traffic...I can't 
> even do 64 bytes between 2 windows clients! This is obviously not an 
> ICMP-only issue.
> 
> Here's what a 32-byte ping(4) looks like over tcpdump:
> 14:15:30.754483 IP 192.168.0.21 > 192.168.192.10: icmp 40: echo request 
> seq 21970
> 14:15:31.759328 IP 192.168.0.21 > 192.168.192.10: icmp 40: echo request 
> seq 22226
> 14:15:32.760207 IP 192.168.0.21 > 192.168.192.10: icmp 40: echo request 
> seq 22482
> 14:15:33.769269 IP 192.168.0.21 > 192.168.192.10: icmp 40: echo request 
> seq 22738
> 
> Here's what a 64-byte ping(4) looks like over tcpdump:
> <nothing>
> 
> Here's what an attempted RDP connection looks like over tcpdump:
> 14:16:50.204525 IP 192.168.0.21.4080 > 192.168.192.10.3389: S 
> 3549076622:3549076622(0) win 65535 <mss 1460,nop,nop,sackOK>
> 14:16:50.236829 IP 192.168.0.21.4080 > 192.168.192.10.3389: . ack 
> 510505563 win 65535
> 14:16:50.242137 IP 192.168.0.21.4080 > 192.168.192.10.3389: P 0:36(36) 
> ack 1 win 65535
> 14:16:53.298879 IP 192.168.0.21.4080 > 192.168.192.10.3389: . ack 12 win 
> 65524
> 14:17:20.216894 IP 192.168.0.21.4080 > 192.168.192.10.3389: P 448:457(9) 
> ack 12 win 65524
> 14:17:20.224592 IP 192.168.0.21.4080 > 192.168.192.10.3389: F 457:457(0) 
> ack 12 win 65524
> 
> Then of course the windows client says that the connection timed out.
> 
> Any clues?

it looks like an MTU issue, but it is very strange you cannot do 64 
bytes ping :|
usually decreasing MTU to about 1400 bytes is enough, but I don't think 
it will work with your case; any way, try setting MTU to some lower 
value (1400 or 1200 or even lower) on interfaces of communicating hosts, 
but you will have to search for another solution probably

Tomasz Grzelak



> 
> Thanks,
> Phillip
> 
> 
> Phillip T. George wrote:
> 
>> Hello all,
>>
>> I'm having some trouble with getting IPsec working on FC3 a bit 
>> still.  The connection establishes and all and I can ping locations on 
>> the other side and communicate minorly, but I can't seem to establish 
>> any kind of connection thru the VPN (tried SSH and RDP).  I also 
>> noticed that the maximum I can ping with is 296 bytes (-s 288).  Is 
>> there some kind of ICMP packet size limit thru IPsec with openswan?  
>> If not, what is the deal here?
>>
>> Thanks,
>> Phillip
>> _______________________________________________
>> Users mailing list
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
> 
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list