[Openswan Users] MTU issue

MarekGreško gresko at thr.sk
Thu Aug 10 11:59:29 EDT 2006


I have a problem while using IPsec.

My setup is a network tunnel between two networks, let them call A and B. They 
are protected by the gateways A and B with IP's pA and pB (public addresses) 
and sA, sB (private addresses). MTU of pA interface is 1460, pB 1492. Gateway 
A is a FC5 (latest updates), gateway B is a FC4 (latest updates) - oth using 
netkey. On both gateways the source ip's are set to sA and sB respectively.

When I try to scp a file from sB to sA, it hangs. Router B gets the frag 
needed icmp message, but it does nothing. ICMP frag needed is surely allowed 
in the firewall. Is the a known bug in that sense?

When I try

iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
                -j TCPMSS --clamp-mss-to-pmtu

on Router A it seems to help. It is still not well tested if it helps 
definitely. But this solution does not help for UDP traffic.

Is there some "correct" solutionm for this? Is it a kernel bug? What is 
happening there?

Thank you

Marek Greško
systémový administrátor
THR Systems, a. s.

More information about the Users mailing list