[Openswan Users] ICMP Packet Size Limit?

Phillip T. George phillip at eacsi.com
Thu May 5 12:37:03 CEST 2005


No, I am not. Here's the version info:
Linux version 2.6.11-1.14_FC3 (bhcompile at tweety.build.redhat.com) (gcc 
version 3.4.3 20050227 (Red Hat 3.4.3-22)) #1 Thu Apr 7 19:24:13 EDT 2005

I upgraded to the latest version of ipsec-tools 
(ipsec-tools-0.5-2.fc3.i386.rpm) and openswan 
(openswan-2.1.5-2.FC3.1.i386.rpm) via the FC3 updates and then I updated 
openswan via downloading the latest tarball (because before then I 
couldn't even establish a connection!), which is version 2.3.1.  This 
version information is true for BOTH linux boxes.

I have NOT used FC3 to do VPNing before yet.  I have used RH73 many times.

I am using the same ISP (cox.com) for both sides.  One is business and 
one is residental.  I'm somewhat curious if the residental side may have 
some kind of thing that doesn't allow for ipsec to take place as 
easily....  I know they don't allow certain things for security reasons, 
I wouldn't think they would disallow ipsec :)  For example, they don't 
allow http incoming and they don't allow smtp outgoing, except on their 
own smtp server.  I have used the business side for doing VPNs before, 
so I know this point is not the issue, especially since a lot of other 
clients have the same service.  I highly doubt that the residential is 
the problem, but it is possible....though if this were the case, I would 
think they wouldn't allow ANY communication.

Also, doing a test outside of the VPN (external to external IPs), I can 
ping just fine with nice large packets :)

Once the solution is found...I will definitely post here.

Thanks,
Phillip




lee huughes wrote:

>something is eating your packets!! are you using any weird layer 2
>media between this machines? could also be a routing problem. check
>your routing table.
>
>what os and kernel are you running + what version of ipsec + swan?
>
>an interesting problem, keep me posted?
>
>Laters,
>
>
>On 5/4/05, Phillip T. George <phillip at eacsi.com> wrote:
>  
>
>>It seems from a client perspective I can do even less traffic...I can't
>>even do 64 bytes between 2 windows clients! This is obviously not an
>>ICMP-only issue.
>>
>>Here's what a 32-byte ping(4) looks like over tcpdump:
>>14:15:30.754483 IP 192.168.0.21 > 192.168.192.10: icmp 40: echo request
>>seq 21970
>>14:15:31.759328 IP 192.168.0.21 > 192.168.192.10: icmp 40: echo request
>>seq 22226
>>14:15:32.760207 IP 192.168.0.21 > 192.168.192.10: icmp 40: echo request
>>seq 22482
>>14:15:33.769269 IP 192.168.0.21 > 192.168.192.10: icmp 40: echo request
>>seq 22738
>>
>>Here's what a 64-byte ping(4) looks like over tcpdump:
>><nothing>
>>
>>Here's what an attempted RDP connection looks like over tcpdump:
>>14:16:50.204525 IP 192.168.0.21.4080 > 192.168.192.10.3389: S
>>3549076622:3549076622(0) win 65535 <mss 1460,nop,nop,sackOK>
>>14:16:50.236829 IP 192.168.0.21.4080 > 192.168.192.10.3389: . ack
>>510505563 win 65535
>>14:16:50.242137 IP 192.168.0.21.4080 > 192.168.192.10.3389: P 0:36(36)
>>ack 1 win 65535
>>14:16:53.298879 IP 192.168.0.21.4080 > 192.168.192.10.3389: . ack 12 win
>>65524
>>14:17:20.216894 IP 192.168.0.21.4080 > 192.168.192.10.3389: P 448:457(9)
>>ack 12 win 65524
>>14:17:20.224592 IP 192.168.0.21.4080 > 192.168.192.10.3389: F 457:457(0)
>>ack 12 win 65524
>>
>>Then of course the windows client says that the connection timed out.
>>
>>Any clues?
>>
>>Thanks,
>>Phillip
>>
>>
>>Phillip T. George wrote:
>>
>>    
>>
>>>Hello all,
>>>
>>>I'm having some trouble with getting IPsec working on FC3 a bit
>>>still.  The connection establishes and all and I can ping locations on
>>>the other side and communicate minorly, but I can't seem to establish
>>>any kind of connection thru the VPN (tried SSH and RDP).  I also
>>>noticed that the maximum I can ping with is 296 bytes (-s 288).  Is
>>>there some kind of ICMP packet size limit thru IPsec with openswan?
>>>If not, what is the deal here?
>>>
>>>Thanks,
>>>Phillip
>>>_______________________________________________
>>>Users mailing list
>>>Users at openswan.org
>>>http://lists.openswan.org/mailman/listinfo/users
>>>      
>>>
>>_______________________________________________
>>Users mailing list
>>Users at openswan.org
>>http://lists.openswan.org/mailman/listinfo/users
>>
>>    
>>


More information about the Users mailing list