[Openswan Users] Problems with RDP over IpSec

Gary W. Smith gary at primeexalia.com
Wed Apr 5 20:56:35 CEST 2006

I recommend that you don't worry about the MTU on the D-Link.  Tweak it
directly on the network interface on the ipsec server.  We had the same
problem (we don't control the routing equipment, just the firewall).

We added this to /etc/sysconfig/network-scripts/ifcfg-eth0:

We tried to override it in the /etc/ipsec.conf file with this:
overridemtu=1000 (original 1400, tweak down on both ends)

but it never worked.  So we manually throttled down the network
interface which causes all of the applications to automatically go down
as well.  And if I'm wrong on this, please jump in.  I'm not an expert
on TCP/IP.

> -----Original Message-----
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]
> Behalf Of John Riley
> Sent: Wednesday, April 05, 2006 5:41 PM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Problems with RDP over IpSec
> >My guess is MTU.
> >
> >
> Originally, there was a Linksys router on the remote end, and I set it
> up.  I recall having to set the MTU on it to around 1300 to get things
> to work properly.  However, that was replaced (months before the
> quit working) by the D-Link, and I had nothing to do with that (I'm
> kinda a subcontractor to the IT guys helping this client).  I
> to them that the MTU had to be set properly, and I am under the
> impression they set it and things still did not work.  I'll double
> >Try pining with a 10k packet to another node on the otherside (not
> >firewall itself) - (ping -l 10000  It'll probably drop as
> >well.  I'll take a guess that one of your lines is some type of DSL.
> >
> >
> Both ends are DSL, and one of them is very low-grade.  I did have them
> check larger ping packets a couple of weeks ago, and they were getting
> consistent drops at about 3000 bytes.
> >We have a couple nodes that are on very slow links and found that the
> >VPN was unreliable at best.  We had already tweaked down the MTU to
> >compensate to find out that one of the particular ISP's also had
> >device which chewed up another 64 bytes, requiring us to drop it down
> >like 1400 in order to make the tunnel work properly.
> >
> >Hope that helps.
> >
> >
> >
> Thanks, I'll have them revisit the MTU.  Would it be normal for a
> working system to stop?  (One theory is that the ISP might have added
> changed a device in the chain about the time the failures began).
> --
> John
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:

More information about the Users mailing list