[Openswan Users] icmp error messages and IPSec-Tunnels

Paul Wouters paul at xelerance.com
Thu Feb 16 17:28:29 CET 2006


On Wed, 15 Feb 2006, Frank.Mayer at knapp-systems.com wrote:

> I have the following problem:
> for some of my IPSec-Tunnels, my gateway needs send messages like "host
> unreachable: fragmentation needed" to both machines communicating via
> these specific tunnels.
> The icmp pakets being sent to the remote network (across the tunnel),
> however, get generated with the gateway's public IP address, and therefore
> never arrive at the target machine.
>
> I did already try to SNAT these packets, but it looks like they do not
> even enter the POSTROUTING-chain of iptables!
>
> Does anyone have any idea on how to handle this?

Make sure fragmentation does not happen. Change the mtu values on the
servers involved (eg ethX on openswan, pppX on l2tpd/ppp, ipsecX when using
klips).

You can also try tcp clamping to fix tcp connections, but that would still
leave udp broken.

Paul


More information about the Users mailing list