[Openswan Users] unreachable - need to frag

Brian Sheets brians at fl240.com
Sat Aug 5 02:28:54 EDT 2006

Sat Aug  5 05:55:03 GMT 2006
+ _________________________ version
+ ipsec --version
Linux Openswan U2.2.0/K2.6.8-2-386 (native)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.6.8-2-386 (horms at tabatha.lab.ultramonkey.org) (gcc
version 3.3.5
 (Debian 1:3.3.5-13)) #1 Tue Aug 16 12:46:35 UTC 2005

I'm not sure how to figure out if it's netkey or Klips


-----Original Message-----
From: Cameron Davidson [mailto:cam73 at aanet.com.au] 
Sent: Saturday, August 05, 2006 7:02 AM
To: Brian Sheets; users at openswan.org
Subject: Re: [Openswan Users] unreachable - need to frag

Brian Sheets wrote:
> Hi, weird problem
> If I ssh/scp from net A to net B larger transmissions hang the
> connection, when I ssh/scp from net B to net A there is no problem.

> The tcpdump yields unreachable - need to frag messages. 

> Net A is behind the openswan connection net B is behind a netscreen
> I have an identical configuration from my home, which is behind a
> netscreen 5gt to the openswan and it works fine in both directions.

Are the ICMP need frag in response to the ESP and/or the tunnelled
Normally the firewall should be allowing them as part of 
established/related rules.

Which versions of kernel, Openswan? Using netkey or Klips?


More information about the Users mailing list