[Openswan Users] unreachable - need to frag

Brian Sheets brians at fl240.com
Sat Aug 5 01:58:30 EDT 2006 

The thing is, I have the same configuration coming from my home
netscreen, so If the firewall was having problems with the office,
wouldn't have problems with my home as well?


Brian

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of ted leslie
Sent: Friday, August 04, 2006 10:58 PM
To: users at openswan.org
Subject: Re: [Openswan Users] unreachable - need to frag

i ran into something similar,
and the frag or packeting info messages have to be able to pass throught
the fw rules,
hence the below.
see if your iptables is complaining.
I added the stuff below (or atleast some of it) and problem solved.
(iptables was logging an exception, i just didnt pick it up right away,
becasue 
the rejection message wasn't very detailed).
This might not be your sol'n but it sounds like it could be, or
something along these lines.

iptables -A OUTPUT -p icmp --icmp-type 0/0 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8/0 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0/0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 0/0 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 8/0 -j ACCEPT


-tl

On Fri, 4 Aug 2006 22:26:54 -0700
"Brian Sheets" <brians at fl240.com> wrote:

> Hi, weird problem
> 
>  
> 
> If I ssh/scp from net A to net B larger transmissions hang the
> connection, when I ssh/scp from net B to net A there is no problem.
> 
>  
> 
> The tcpdump yields unreachable - need to frag messages. 
> 
>  
> 
> Net A is behind the openswan connection net B is behind a netscreen
5gt,
> I have an identical configuration from my home, which is behind a
> netscreen 5gt to the openswan and it works fine in both directions.
> 
>  
> 
> Any help?
> 
>  
> 
> Thanks
> 
>  
> 
> Brian
> 
> 
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list