[Openswan Users] Routing problem with NETKEY
Andy Gay
andy at andynet.net
Fri Aug 4 06:32:24 EDT 2006
On Fri, 2006-08-04 at 17:25 +0200, Paul Wouters wrote:
> On Fri, 4 Aug 2006, Andy Gay wrote:
>
> > > I did some tcpdumping, and I can
> > >
> > > - see the esp packets coming in from eth2
> > >
> > > 19:43:46.402321 IP 27.127.49.158 > 22.236.122.253: ESP(spi=0x8b5ff54d,seq=0x76), length 468
> > >
> > > - I can see the decrypted packets appear in eth2, with the correct
> > > origin and destination addresses
> > >
> > > 19:43:46.402321 IP 10.10.1.1.netinfo-local > 22.236.122.1.syslog: SYSLOG daemon.notice, length: 409
> > >
> > > - Still, these never appear in the forward chain
> > > - and thus, I don't see them in the internal interface
> > >
> > > Except for icmp packets. They appear everywhere just like they should.
> >
> > That's why I'd suspect your iptables rules. That's really the only place
> > where packets get treated differently depending on their type.
>
> Or it could be MTU issues.
Maybe. But that 1 example packet dump he gives us is only 468 bytes even
for the encapsulated packet. No real world MTU is that low, is it :)
MTU problems tend to show up as connections getting set up OK but later
packets getting lost.
> Try lowering the mtu, either on both sides, or the
> remote side (eg not this end), or try disabling path MTU discovery on both
> ends using: echo "0" > /proc/sys/net/ipv4/ip_no_pmtu_disc
>
> Paul
> --
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list