[Openswan Users] unreachable - need to frag

Brian Sheets brians at fl240.com
Sat Aug 5 03:11:18 EDT 2006


A little more information, my home and the office are behind netscreen
5gt's, my home is Verizon FIOS, I don't know who the office, I think
it's a 

Sat Aug  5 05:55:03 GMT 2006
+ _________________________ version
+ ipsec --version
Linux Openswan U2.2.0/K2.6.8-2-386 (native)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.6.8-2-386 (horms at tabatha.lab.ultramonkey.org) (gcc
version 3.3.5
 (Debian 1:3.3.5-13)) #1 Tue Aug 16 12:46:35 UTC 2005

>From my home network 

brians at oahu 364 $ ping -s 1473
PING 1473 data bytes
1481 bytes from icmp_seq=0. time=57.1 ms

On the openswan

14:45:35.766143 IP > icmp 1480: echo
request seq 1
14:45:35.766147 IP > icmp

brians at oahu 365 $ ping -s 1472
PING 1472 data bytes
1480 bytes from icmp_seq=0. time=56.3 ms

14:45:53.566004 IP > icmp 1479: echo
request seq 0

So it seems that from my home network, the packets are properly being

>From the office network

[root at pbx ~]# ping -M do -s 1419
PING ( 1419(1447) bytes of data.

On the openswan box

15:04:04.096810 IP > icmp 1427: echo
request seq 1
15:04:04.097920 IP gateway1.mxpath.net > icmp 556: unreachable - need to frag (mtu 1500)

[root at pbx ~]# ping -M do -s 1418
PING ( 1418(1446) bytes of data.
1426 bytes from icmp_seq=0 ttl=62 time=41.0 ms

15:04:10.092349 IP > icmp 1426: echo
request seq 0

I hope this helps.


-----Original Message-----
From: Cameron Davidson [mailto:cam73 at aanet.com.au] 
Sent: Saturday, August 05, 2006 7:02 AM
To: Brian Sheets; users at openswan.org
Subject: Re: [Openswan Users] unreachable - need to frag

Brian Sheets wrote:
> Hi, weird problem
> If I ssh/scp from net A to net B larger transmissions hang the
> connection, when I ssh/scp from net B to net A there is no problem.

> The tcpdump yields unreachable - need to frag messages. 

> Net A is behind the openswan connection net B is behind a netscreen
> I have an identical configuration from my home, which is behind a
> netscreen 5gt to the openswan and it works fine in both directions.

Are the ICMP need frag in response to the ESP and/or the tunnelled
Normally the firewall should be allowing them as part of 
established/related rules.

Which versions of kernel, Openswan? Using netkey or Klips?


More information about the Users mailing list