[Openswan Users] Openswan 2.4.4 issue - gateway spewing need to frag

[Ryley Breiddal]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'm having an issue right now with Openswan 2.4.3 and 2.4.4 sending out
ICMP "need to frag" messages for certain types of packets.  I can
successfully send large or small pings across the VPN tunnel, but a SYN
packet (i.e. small tcp packet) causes the local Openswan gateway to send
a "need to frag" message.  Unfortunately, this behaviour is not
consistent, so not all tcp packets produce the error.  I have not
figured out the pattern yet.

I noticed that the Changelog for v2.4.2 has this line in it:
* Fix for 'short' packets with KLIPS on 2.4.x

Related perhaps?

Here is a tcpdump of the problem:
192.168.2.10 is a client on the local network.  
192.168.2.254 is the local gateway.  
192.168.1.17 is the remote gateway's IP inside the tunnel.

- -------------------------
15:54:18.653344 IP (length: 84) 192.168.2.10 > 192.168.1.17: icmp 64:
echo request seq 1
15:54:18.654543 IP (length: 84) 192.168.1.17 > 192.168.2.10: icmp 64:
echo reply seq 1
16:05:44.157937 IP (length: 1428) 192.168.2.10 > 192.168.1.17: icmp
1408: echo request seq 1
16:05:44.160392 IP (length: 1428) 192.168.1.17 > 192.168.2.10: icmp
1408: echo reply seq 1
16:20:35.667669 IP (flags [DF], length: 60) 192.168.2.10.1178 >
192.168.1.17.722: S 1526047970:1526047970(0) win 5840 <mss
1460,sackOK,timestamp 605395264[|tcp]>
16:20:35.667846 IP (length: 88) 192.168.2.254 > 192.168.2.10: icmp 68:
192.168.1.17 unreachable - need to frag

If I add "fragicmp=no" that seems to clear up the issue.

I'm working off of a 2.4.30 kernel.

Any ideas or suggestions?  I can provide a barf if necessary.

_____________________________________
Ryley Breiddal
PresiNET Systems

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDfnMFMTUY55MR22ERAtXaAKCEmhQ1wFFMHD/n5yPJZzTB4e+jpACdF45H
5KMnyY8wAUAZTqT0PBxXjHE=
=sScl
-----END PGP SIGNATURE-----