[Openswan Users] MTU issue

Trevor Benson TrevorBenson at a-1networks.com
Wed Sep 21 08:55:39 CEST 2005 

I would test doing the same pings between your box and the default
gateway of the remote Openswan system.  I ran into a similar issue as
you describe, but it also occurred outside of the tunnel. The problems
are on the network the client was using which caused the same issues.
This was happening on PIX's  as well as Openswan systems.

But once we tested outside the tunnel it was apparent at once that it
had nothing to do with the tunnel, the route we followed from the local
office dropped the packets, and hence caused problems on the tunnel
itself.  The ISP and the transit provider still have not worked out
their issue, so the client is likely to move out this week.  May not
have anything to do with your issue, but just want to make sure your not
assuming its problems with your config, instead of the surrounding
network.

I assumed (I know, I know) that Path MTU would work this out by itself,
but it didn't.  After that the only explanation I can come up with is
that Path MTU from client to server does not see the route between the
openswan systems, just the client, gateway, tunnel endpoint to endpoint,
other gateway, and host on the other side.  Presumably ignoring the
routers between the openswan systems, and not finding the true MTU of
the path it will take, just the MTU of the tunnel.

Thank you,
Trevor Benson
A1 Networks

> -----Original Message-----
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]
On
> Behalf Of Antony Gelberg
> Sent: Tuesday, September 20, 2005 10:36 AM
> To: users at openswan.org
> Subject: [Openswan Users] MTU issue
> 
> Hi all,
> 
> I have a PMTUD issue with my VPN.  It manifested itself here:
> http://lists.samba.org/archive/samba/2005-September/111079.html
> 
> This makes sense.  When I ping a LAN host from the roadwarrior, with
DF
> set, 1450 responds with Fragmentation required but DF set, 1350
responds
> normally, but 1400 times out.  As if that wasn't enough,
> http://lists.openswan.org/pipermail/users/2004-July/001514.html
confirms
> my suspicions.
> 
> However, I can't seem to find the correct settings.  On the Openswan
box,
> both WAN(eth0) and LAN(eth1) have an MTU=1500.  I am disregarding the
> ipsec0 MTU of 16260 as I believe it's a red herring.  Both routers
(LAN
> and roadwarrior) have MTU=MRU=1458 and MSS=1418.
> 
> However, even if I set MTU=1458 on eth0 and eth1 on the Openswan box,
no
> joy.    The ping problem is still present.
> 
> Hope someone can shed some light.
> 
> Antony
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list