[Openswan Users] ICMP Packet Size Limit?

Henning Holtschneider henning at loca.net
Thu May 5 14:58:47 CEST 2005


--On Mittwoch, 4. Mai 2005 14:19 -0500 "Phillip T. George" 
<phillip at eacsi.com> wrote:

> It seems from a client perspective I can do even less traffic...I can't
> even do 64 bytes between 2 windows clients! This is obviously not an
> ICMP-only issue.

Seems like you have a very small MTU somewhere between the client and the 
Windows server you are connecting to, combined with an ICMP blackhole. 
Usually, you should see ICMP need to fragment packets going back to the 
client if the packets coming from the client exceed the MTU size of a 
router on the path or if they exceed the MTU of the Windows server.

First of all, you should check the MTU on the machines involved.

You could also try to clamp the MSS on the VPN to a working value like this:

iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 32
iptables -I OUTPUT 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 32

However, a MSS of 32 will produce *very* small packets which may decrease 
your available network bandwidth.

Regards,
Henning Holtschneider
--
LocaNet oHG - http://www.loca.net
Lindemannstrasse 81, D-44137 Dortmund
tel +49 231 91596-25, fax +49 231 91596-55
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20050505/631d4244/attachment.bin


More information about the Users mailing list