[Openswan Users]

[Brian Candler]

OK, last message today, promise. It's Friday afternoon :-)

I made a one-line patch to openswan-2.4.5, and now it works. It backs out
one of the changes which was introduced between 2.4.4 and 2.4.5, the only
MTU-related one I could see:

--- openswan-2.4.5/linux/net/ipsec/ipsec_xmit.c.orig    2006-04-07 16:08:48.000000000 +0100
+++ openswan-2.4.5/linux/net/ipsec/ipsec_xmit.c 2006-04-07 16:10:40.000000000 +0100
@@ -397,7 +397,7 @@
        }

        ixs->physmtu = ixs->physdev->mtu;
-        ixs->cur_mtu = ixs->physdev->mtu;
+        /* ixs->cur_mtu = ixs->physdev->mtu; */
        ixs->stats = (struct net_device_stats *) &(ixs->prv->mystats);

        return IPSEC_XMIT_OK;

However I'm afraid I'm out of my depth when it comes to explaining why this
should make a difference, or what the proper fix is to the underlying issue.

Logs at the Cisco side now show the same as I described before:
- first data packet sent by openswan has DF=1, and is rejected
- subsequent packets sent by openswan have DF=0, and are accepted

Regards,

Brian.