[Openswan Users] ICMP Packet Size Limit?

lee hughes toxicnaan at gmail.com
Sun May 8 16:04:40 CEST 2005


It's quite possible that your isp is either

blocking certain type of traffic (ipsec/esp/ah & udp port 500)
are using NAT for domestic clients (easily spotted by finding out your ipaddess)
using Transparent Proxies and Transparent Packet redirection, both
very nasty in my view!

anyother type of packet mangling going on.

ask your isp for the details of thier firewalling and traffic
policies, if they don't want to tell you, then change you isp to one
that knows what they are doing. ;-)

beaware some isp directly forbid the use a vpn connection on domestic
connection!!! Check your AUP.


On 5/5/05, Phillip T. George <phillip at eacsi.com> wrote:
> No, I am not. Here's the version info:
> Linux version 2.6.11-1.14_FC3 (bhcompile at tweety.build.redhat.com) (gcc
> version 3.4.3 20050227 (Red Hat 3.4.3-22)) #1 Thu Apr 7 19:24:13 EDT 2005
> 
> I upgraded to the latest version of ipsec-tools
> (ipsec-tools-0.5-2.fc3.i386.rpm) and openswan
> (openswan-2.1.5-2.FC3.1.i386.rpm) via the FC3 updates and then I updated
> openswan via downloading the latest tarball (because before then I
> couldn't even establish a connection!), which is version 2.3.1.  This
> version information is true for BOTH linux boxes.
> 
> I have NOT used FC3 to do VPNing before yet.  I have used RH73 many times.
> 
> I am using the same ISP (cox.com) for both sides.  One is business and
> one is residental.  I'm somewhat curious if the residental side may have
> some kind of thing that doesn't allow for ipsec to take place as
> easily....  I know they don't allow certain things for security reasons,
> I wouldn't think they would disallow ipsec :)  For example, they don't
> allow http incoming and they don't allow smtp outgoing, except on their
> own smtp server.  I have used the business side for doing VPNs before,
> so I know this point is not the issue, especially since a lot of other
> clients have the same service.  I highly doubt that the residential is
> the problem, but it is possible....though if this were the case, I would
> think they wouldn't allow ANY communication.
> 
> Also, doing a test outside of the VPN (external to external IPs), I can
> ping just fine with nice large packets :)
> 
> Once the solution is found...I will definitely post here.
> 
> Thanks,
> Phillip
> 
> 
> lee huughes wrote:
> 
> >something is eating your packets!! are you using any weird layer 2
> >media between this machines? could also be a routing problem. check
> >your routing table.
> >
> >what os and kernel are you running + what version of ipsec + swan?
> >
> >an interesting problem, keep me posted?
> >
> >Laters,
> >
> >
> >On 5/4/05, Phillip T. George <phillip at eacsi.com> wrote:
> >
> >
> >>It seems from a client perspective I can do even less traffic...I can't
> >>even do 64 bytes between 2 windows clients! This is obviously not an
> >>ICMP-only issue.
> >>
> >>Here's what a 32-byte ping(4) looks like over tcpdump:
> >>14:15:30.754483 IP 192.168.0.21 > 192.168.192.10: icmp 40: echo request
> >>seq 21970
> >>14:15:31.759328 IP 192.168.0.21 > 192.168.192.10: icmp 40: echo request
> >>seq 22226
> >>14:15:32.760207 IP 192.168.0.21 > 192.168.192.10: icmp 40: echo request
> >>seq 22482
> >>14:15:33.769269 IP 192.168.0.21 > 192.168.192.10: icmp 40: echo request
> >>seq 22738
> >>
> >>Here's what a 64-byte ping(4) looks like over tcpdump:
> >><nothing>
> >>
> >>Here's what an attempted RDP connection looks like over tcpdump:
> >>14:16:50.204525 IP 192.168.0.21.4080 > 192.168.192.10.3389: S
> >>3549076622:3549076622(0) win 65535 <mss 1460,nop,nop,sackOK>
> >>14:16:50.236829 IP 192.168.0.21.4080 > 192.168.192.10.3389: . ack
> >>510505563 win 65535
> >>14:16:50.242137 IP 192.168.0.21.4080 > 192.168.192.10.3389: P 0:36(36)
> >>ack 1 win 65535
> >>14:16:53.298879 IP 192.168.0.21.4080 > 192.168.192.10.3389: . ack 12 win
> >>65524
> >>14:17:20.216894 IP 192.168.0.21.4080 > 192.168.192.10.3389: P 448:457(9)
> >>ack 12 win 65524
> >>14:17:20.224592 IP 192.168.0.21.4080 > 192.168.192.10.3389: F 457:457(0)
> >>ack 12 win 65524
> >>
> >>Then of course the windows client says that the connection timed out.
> >>
> >>Any clues?
> >>
> >>Thanks,
> >>Phillip
> >>
> >>
> >>Phillip T. George wrote:
> >>
> >>
> >>
> >>>Hello all,
> >>>
> >>>I'm having some trouble with getting IPsec working on FC3 a bit
> >>>still.  The connection establishes and all and I can ping locations on
> >>>the other side and communicate minorly, but I can't seem to establish
> >>>any kind of connection thru the VPN (tried SSH and RDP).  I also
> >>>noticed that the maximum I can ping with is 296 bytes (-s 288).  Is
> >>>there some kind of ICMP packet size limit thru IPsec with openswan?
> >>>If not, what is the deal here?
> >>>
> >>>Thanks,
> >>>Phillip
> >>>_______________________________________________
> >>>Users mailing list
> >>>Users at openswan.org
> >>>http://lists.openswan.org/mailman/listinfo/users
> >>>
> >>>
> >>_______________________________________________
> >>Users mailing list
> >>Users at openswan.org
> >>http://lists.openswan.org/mailman/listinfo/users
> >>
> >>
> >>
>


More information about the Users mailing list