[Openswan Users] Openswan, ADSL and slow connections
Paul Wouters
paul at xelerance.com
Fri Nov 11 17:51:02 CET 2005
On Fri, 11 Nov 2005, Andrej Trobentar wrote:
> client ---- fw1 ------<internet>----- fw2 ---- camera
> Here's the tcpdump trace from 2) :
>
> 08:54:21.306132 192.168.0.1 > 192.168.0.61: icmp: 192.168.15.11
> unreachable - need to frag [tos 0xc0]
> So I guess it has something to do with the fragmentation. I have tried
> to put "overridemtu=1492", "overridemtu=500", "overridemtu=1500", ... in
> the ipsec.conf on fw2, but with no luck. I have tried to upgrade fw2 to
> openswan 2.4.2rc1, but the problem still exists.
Did you try setting a smaller MU on the *other side* of the link?
> I have attached the ipsec.conf and ifconfig from fw2. Please let me know
> if you need any more information...
Remember overridemtu only works with klips, not netkey. I am not sure if
you are using klips.
A few things to try:
- lover mtu on both sides using overridemtu= if using klips
- use TCP clamping (see archive or wiki)
- reduce the LAN ethernet mtu's on both ends to about 1400
Paul
More information about the Users
mailing list