[Openswan Users] MTU issue

[MarekGreško]

Hello,

I have a problem while using IPsec.

My setup is a network tunnel between two networks, let them call A and B. They 
are protected by the gateways A and B with IP's pA and pB (public addresses) 
and sA, sB (private addresses). MTU of pA interface is 1460, pB 1492. Gateway 
A is a FC5 (latest updates), gateway B is a FC4 (latest updates) - oth using 
netkey. On both gateways the source ip's are set to sA and sB respectively.

When I try to scp a file from sB to sA, it hangs. Router B gets the frag 
needed icmp message, but it does nothing. ICMP frag needed is surely allowed 
in the firewall. Is the a known bug in that sense?

When I try

iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
                -j TCPMSS --clamp-mss-to-pmtu

on Router A it seems to help. It is still not well tested if it helps 
definitely. But this solution does not help for UDP traffic.

Is there some "correct" solutionm for this? Is it a kernel bug? What is 
happening there?

Thank you

-- 
Marek Greško
systémový administrátor
THR Systems, a. s.