[Openswan Users] unreachable - need to frag

[Paul Overton]

I had a problem with one of our business centres, where the site
firewall would not allow fragments to pass at all. 

The solution (eventually) was to use the following command in the
ipsec.conf to force a maximum internal MTU.          

overridemtu=1424

The figure was first calculated and then tested empirically, although
you should not assume that this value is good for all networks.

All the internal machines quite happily use PMTU and to date the
problems have not returned.
 
Regards

--
Paul Overton

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of rbeaver at singlefin.net
Sent: 06 August 2006 16:45
To: Brian Sheets; Paul Wouters
Cc: Galen Richards; users at openswan.org
Subject: Re: [Openswan Users] unreachable - need to frag

I'm pretty sure if you reduce it on the internal interface of the ns5gt
then it will handle breaking up the packets , that way you don't have to
touch each machine , 


Robert Beaver
Singlefin Infrastructure team
rbeaver at singlefin.net 

Life is too short for spam. Be spam free in less than 60 seconds. 
www.singlefin.net - 1-866-566-3346   

-----Original Message-----
From: "Brian Sheets" <brians at fl240.com>
Date: Sat, 5 Aug 2006 22:15:47
To:"Paul Wouters" <paul at xelerance.com>
Cc:"Galen Richards"
<grichards at singlefin.net>,<rbeaver at singlefin.net>,<users at openswan.org>
Subject: RE: [Openswan Users] unreachable - need to frag

I reduced the MTU on a couple systems and it resolved the problem, so
now I need to figure out how to do it for the whole office without
changing every box in the office

Brian


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Brian Sheets
Sent: Saturday, August 05, 2006 11:54 AM
To: Paul Wouters
Cc: Galen Richards; rbeaver at singlefin.net; users at openswan.org
Subject: RE: [Openswan Users] unreachable - need to frag

I'm not sure I understand this

When I scp a file from my home system, behind the netscreen, 

18:48:49.535015 IP 192.168.23.27.ssh > 10.200.200.10.54855: .
76365:77657(1292) ack 1346 win 50388 <nop,nop,timestamp 118421258
199723391>

It appears that the packet size is 1292

When I do the same thing from my office site

18:50:42.707862 IP 192.168.21.11.ssh > 10.200.200.10.54857: .
1600:3048(1448) ack 1314 win 1752 <nop,nop,timestamp 633033311
199734576>
18:50:42.708554 IP gateway1.mxpath.net > 192.168.21.11: icmp 556:
10.200.200.10 unreachable - need to frag (mtu 1500)

The MTU on the netscreen at my home has default to 1492, and the one at
the office is 1500, that's the only difference I can see.

In addition, the box at home is a solaris box, the box at the office is
a debian box. BTW, I can duplicate this on any box behind the openswan
to any box behind the office netscreen so I know that its independent of
any client system.

Who is driving the packet size, why is the packet coming from my home
1292?

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Saturday, August 05, 2006 9:11 AM
To: Brian Sheets
Cc: cam73 at aanet.com.au; users at openswan.org
Subject: RE: [Openswan Users] unreachable - need to frag

On Sat, 5 Aug 2006, Brian Sheets wrote:

> Linux Openswan U2.2.0/K2.6.8-2-386 (native)

Both openswan and kernel need an update. Any kernel when using netkey
('native')
older the n2.6.11 should be avoided due to missing MTU related patches.

This includes the 2.6.9 based RHEL4 kernel unfortunately

Paul


_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n(3155



--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by Trusted Management Limited, and is
believed to be clean.