[Openswan Users] MTU issue

Antony Gelberg antony at wayforth.co.uk
Tue Sep 20 23:32:49 CEST 2005


> On Tue, 20 Sep 2005, Antony Gelberg wrote:
>
>> This makes sense.  When I ping a LAN host from the roadwarrior, with DF
>> set, 1450 responds with Fragmentation required but DF set, 1350 responds
>> normally, but 1400 times out.  As if that wasn't enough,
>> http://lists.openswan.org/pipermail/users/2004-July/001514.html confirms
>> my suspicions.
>>
>> However, I can't seem to find the correct settings.  On the Openswan
>> box,
>> both WAN(eth0) and LAN(eth1) have an MTU=1500.  I am disregarding the
>> ipsec0 MTU of 16260 as I believe it's a red herring.  Both routers (LAN
>> and roadwarrior) have MTU=MRU=1458 and MSS=1418.
>
> the ipsec interface has an mtu larger then the underlying physical
> interface,
> so it will never cause fragmentation. fragmentation should not happen
> there.
>
>> However, even if I set MTU=1458 on eth0 and eth1 on the Openswan box, no
>> joy.    The ping problem is still present.
>
> Try to set your mtu to 1350 since that seems to work. You can also try to
> use overridemtu=1350, which will set the ipsec device mtu.

Thanks Paul, but none of that seemed to make any difference to behaviour. 
Even after an ifconfig eth0 mtu 1350, the 1400 byte DF ping from the
roadwarrior doesn't respond with fragmentation needed.  A tcpdump -i
ipsec0 reveals that the ping isn't even seen coming in by ipsec0.

Did I miss something?  Do I need to restart after changing the MTU?  I
thought ifconfig commands worked on the fly.

Antony



More information about the Users mailing list