[Openswan Users] Re: MTU problems

Peter Farrow peter at farrows.org
Mon Jun 12 16:19:48 CEST 2006

Hi there,

This only became a problem when I went to Openswan from Freeswan, 
previously when using freeswan on RedHat 9 the problem never arose, the 
only change was to Centos 4.3 and Openswan.

In fact, I know its now any of the ADSL or SDSL routers in the path 
between the sites, because if I do a simple port forward on 3389 to one 
of the internal servers (for terminal services) I can connect reliably 
and ok across the net - yet if I go through the tunnel without MTU'ing 
all machines for terminal services it is unreliable and disconnects 
frequently.  Going through a RedHat 9 VPN usng freeswan and its ok...

Also one added point : all the Linux machines are running 64bit Centos.  
It works fine with 1492 MTUs but its a PITA...

If you hve any other ideas I would be glad to hear them, thanks very 
much for responding and helping, I was beginning to feel a bit "out in 
the cold".

I set dozens of freeswan VPNs up using REdHat 9 and Centos 3, but this 
is one of the first NetKey ones I have done and the first with Openswan 
at both ends.

I am using a 2.6.9-34.0.1.EL kernel


Peter McGill wrote:
>> Its seems the max MTU is 1492, and I have had to set this on all windows
>> and Linux boxes to make the link useable,
> 1492 is the MTU for PPPoE links, which are often used by ISPs, 
> particularly
> with xDSL. Are you using PPPoE to connect to your ISP? If so this is 
> why your
> MTU is 1492. The other possibilities are that one of the other routers 
> in the
> internet route between your hosts has this MTU either because it is 
> using PPPoE
> or is perhaps simply misconfigured... In either case you will likely 
> have to live
> with the 1492 MTU, it's not so bad though, just set your MTU's 
> accordingly.
> If your not using PPPoE, you may be able to determine which router is 
> causing
> the problem, but it's unlikely that the owner will fix it, assuming 
> that it is a
> misconfiguration. You can attempt to locate the router by resetting 
> your MTU
> to 1500 and doing some large traceroutes (packet size > 1492), the 
> traceroute
> command will vary depending on your local traceroute program, but be 
> sure to
> set the don't fragment option and increase the packet size.
> Peter McGill
> Software Developer / Network Administrator
> Gra Ham Energy Limited

More information about the Users mailing list