[Openswan Users] Problems with RDP over IpSec

Andy fs at globalnetit.com
Thu Apr 6 02:10:29 CEST 2006


On Wed, 2006-04-05 at 17:00 -0400, John Riley wrote:

> Iptables on the gateway is set up to allow input and forward for all 
> packets arriving via the tunnel.  (I'm using a 2.6 kernel with netkey, 
> the packets are marked as they come in, and any marked packet gets 
> forwarded).  All packets, except 'established connections,' that are not 
> marked are logged and dropped.
> 
Do you mean you permit just "ESTABLISHED", not "RELATED,ESTABLISHED"?

If you don't permit "related", you'll drop any ICMP errors. That will
break PMTU discovery and cause just the problems you're seeing.

If you log everything that's dropped, that would show up in your logs as
ICMP type 3 (Destination Unreachable) code 4 (Fragmentation Needed and
Don't Fragment was Set).




More information about the Users mailing list