[Openswan Users] MTU issue
Antony Gelberg
antony at wayforth.co.uk
Wed Sep 21 00:57:46 CEST 2005
Antony Gelberg wrote:
>>On Tue, 20 Sep 2005, Antony Gelberg wrote:
>>
>>
>>>This makes sense. When I ping a LAN host from the roadwarrior, with DF
>>>set, 1450 responds with Fragmentation required but DF set, 1350 responds
>>>normally, but 1400 times out. As if that wasn't enough,
>>>http://lists.openswan.org/pipermail/users/2004-July/001514.html confirms
>>>my suspicions.
>>>
>>>However, I can't seem to find the correct settings. On the Openswan
>>>box,
>>>both WAN(eth0) and LAN(eth1) have an MTU=1500. I am disregarding the
>>>ipsec0 MTU of 16260 as I believe it's a red herring. Both routers (LAN
>>>and roadwarrior) have MTU=MRU=1458 and MSS=1418.
>>
>>the ipsec interface has an mtu larger then the underlying physical
>>interface,
>>so it will never cause fragmentation. fragmentation should not happen
>>there.
>>
>>
>>>However, even if I set MTU=1458 on eth0 and eth1 on the Openswan box, no
>>>joy. The ping problem is still present.
>>
>>Try to set your mtu to 1350 since that seems to work. You can also try to
>>use overridemtu=1350, which will set the ipsec device mtu.
Grr. Everything looked fine and I couldn't work out where the problem
was. Then I rebooted the roadwarrior into Linux (was using XP with
Marcus Mueller's client_,configured openswan and joy of joys, it works
great. My VNC connection is now usable, copying files works properly.
This is with default settings on the gateway, no MTU messing etc. I'm
happy, if frustrated. I can't believe that Windows XP can't (allegedly9
do PMTUD. Anyway thanks for the responses. I'll still have to get to
the bottom of it as when we deploy Openswan for customers, they will not
know any better than to want to use Windows machines.
More information about the Users
mailing list