[Openswan Users] unreachable - need to frag

Brian Sheets brians at fl240.com
Sat Aug 5 03:11:18 EDT 2006 

Ok, 

A little more information, my home and the office are behind netscreen
5gt's, my home is Verizon FIOS, I don't know who the office, I think
it's a 
T1.

gateway1
Sat Aug  5 05:55:03 GMT 2006
+ _________________________ version
+ ipsec --version
Linux Openswan U2.2.0/K2.6.8-2-386 (native)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.6.8-2-386 (horms at tabatha.lab.ultramonkey.org) (gcc
version 3.3.5
 (Debian 1:3.3.5-13)) #1 Tue Aug 16 12:46:35 UTC 2005

>From my home network 

brians at oahu 364 $ ping -s 10.200.200.10 1473
PING 10.200.200.10: 1473 data bytes
1481 bytes from 10.200.200.10: icmp_seq=0. time=57.1 ms

On the openswan

14:45:35.766143 IP 192.168.23.27 > 10.200.200.10: icmp 1480: echo
request seq 1
14:45:35.766147 IP 192.168.23.27 > 10.200.200.10: icmp

And
brians at oahu 365 $ ping -s 10.200.200.10 1472
PING 10.200.200.10: 1472 data bytes
1480 bytes from 10.200.200.10: icmp_seq=0. time=56.3 ms

14:45:53.566004 IP 192.168.23.27 > 10.200.200.10: icmp 1479: echo
request seq 0

So it seems that from my home network, the packets are properly being
fragmented

>From the office network

[root at pbx ~]# ping -M do -s 1419 10.200.200.10
PING 10.200.200.10 (10.200.200.10) 1419(1447) bytes of data.

On the openswan box

15:04:04.096810 IP 192.168.21.11 > 10.200.200.10: icmp 1427: echo
request seq 1
15:04:04.097920 IP gateway1.mxpath.net > 192.168.21.11: icmp 556:
10.200.200.10 unreachable - need to frag (mtu 1500)

[root at pbx ~]# ping -M do -s 1418 10.200.200.10
PING 10.200.200.10 (10.200.200.10) 1418(1446) bytes of data.
1426 bytes from 10.200.200.10: icmp_seq=0 ttl=62 time=41.0 ms

15:04:10.092349 IP 192.168.21.11 > 10.200.200.10: icmp 1426: echo
request seq 0

I hope this helps.

Brian


-----Original Message-----
From: Cameron Davidson [mailto:cam73 at aanet.com.au] 
Sent: Saturday, August 05, 2006 7:02 AM
To: Brian Sheets; users at openswan.org
Subject: Re: [Openswan Users] unreachable - need to frag

Brian Sheets wrote:
> Hi, weird problem
> 
>  
> 
> If I ssh/scp from net A to net B larger transmissions hang the
> connection, when I ssh/scp from net B to net A there is no problem.

> 
> The tcpdump yields unreachable - need to frag messages. 
> 

> Net A is behind the openswan connection net B is behind a netscreen
5gt,
> I have an identical configuration from my home, which is behind a
> netscreen 5gt to the openswan and it works fine in both directions.
> 

Are the ICMP need frag in response to the ESP and/or the tunnelled
packets?
Normally the firewall should be allowing them as part of 
established/related rules.

Which versions of kernel, Openswan? Using netkey or Klips?

Cameron.

More information about the Users mailing list