Antwort: Re: [Openswan Users] icmp error messages and IPSec-Tunnels

[Frank.Mayer at knapp-systems.com]

Paul Wouters <paul at xelerance.com> schrieb am 16.02.2006 17:28:29:

> On Wed, 15 Feb 2006, Frank.Mayer at knapp-systems.com wrote:
> 
> > I have the following problem:
> > for some of my IPSec-Tunnels, my gateway needs send messages like 
"host
> > unreachable: fragmentation needed" to both machines communicating via
> > these specific tunnels.
> > The icmp pakets being sent to the remote network (across the tunnel),
> > however, get generated with the gateway's public IP address, and 
therefore
> > never arrive at the target machine.
> >
> > I did already try to SNAT these packets, but it looks like they do not
> > even enter the POSTROUTING-chain of iptables!
> >
> > Does anyone have any idea on how to handle this?
> 
> Make sure fragmentation does not happen. Change the mtu values on the
> servers involved (eg ethX on openswan, pppX on l2tpd/ppp, ipsecX when 
using
> klips).
> 
> You can also try tcp clamping to fix tcp connections, but that would 
still
> leave udp broken.
> 
> Paul

 Thanks for you input, but...

a) only one of the gateways is under my control
b) reducing the mtu of the interface would not only influence this one 
connection 
   but about 100 others as well

Yesterday, I learned about the TCPMSS-Target in iptables, which seems to 
help at 
least for TCP-connections with MTU-problems. 
UDP will remain a problem, though, as will other messages I'd like to 
cross the tunnels like "network-prohibited" a.s.o.
I'll try to check whether e.g. a Cisco router would behave similarly, as I 
have time.

All in all, this seems to me a problem of either the 
IP-stack-implementation or 
the implementation of iptables, or both. Looks like I will have to live 
with 
some limitations for the time being.
I do program, occasionally, but not at kernel level, so writing my own 
patch is 
beyond me ;-(

Thanks nonetheless!

Best Regards,
  Frank