[Openswan Users] MTU question

Andy fs at globalnetit.com
Mon Jun 26 12:46:07 CEST 2006 

Why change the MTU to 1492?

Probably you have a PMTUD problem - packets will be sent with DF set and
the tunnel needs to fragment, so it tries to send back an ICMP dest
unreachable/frag needed, but that ICMP never reaches the source host.

That can be due to silly firewall rules (make sure you don't block ICMP
anywhere). It can also happen if intermediate routers (between the
Openswan boxes) are originating the ICMP - I posted some stuff about
that a while ago, but didn't get much response. Check the archives for a
subject including PMTUD.

You can often solve pmtud problems using the iptables TCPMSS target
(only works for TCP, but that's fine for RDP & VNC).

Try something like this on the Openswan box at the end that connections
are initiated from:

iptables -A FORWARD -s <source client subnet> -d <dest client subnet> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1200

if that works, experiment with larger --set-mss to find the largest
value that works for you.

- Andy

On Mon, 2006-06-26 at 10:03 -0500, Jeremy Mann wrote:
> Let me add to this, if I drop the MTU of the two Client machines to
> 1492  
> everything works fine.  I definately can't do that as each side of
> the  
> tunnel supports about 100 machines(we use it to remote into machines
> in  
> a helpdesk scenario, so there's only 1 or 2 active at a time).
> 
> Jeremy Mann wrote: 
> > Quick general question.  If I have set the MTU of all my
> site-to-site  
> > tunnels to 1492 and enabled forwarding(obviously) is the linux box
> smart  
> > enough to handle clients on either end having an MTU of 1500? 
> > 
> > Quick ASCII scenario 
> > 
> > Client1(MTU 1500)<----->Openswan A(MTU 1492)<---->Openswan B(MTU  
> > 1492)<---->Client2(MTU 1500) 
> > 
> > If the answer is yes, why would I see large packets kill
> connectivity  
> > between client1 and client2?  Specifically Clients 1 and 2 are XP  
> > machines, and the traffic is VNC or RDP.  It seems that I can ping
> them  
> > fine, I can even do smb traffic, just that RDP or VNC kill
> connectivity. 
> > 
> > A Tcpdump shows that eventually one of the two machines will start  
> > sending retransmits, with no reply from the other side(in a
> request  
> > response relationship, it's usually the pc trying to respond). 
> > 
> >    
> > _______________________________________________ 
> > Users at openswan.org 
> > http://lists.openswan.org/mailman/listinfo/users 
> > Building and Integrating Virtual Private Networks with Openswan:  
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 
> >   
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-- 
Andy <fs at globalnetit.com>

More information about the Users mailing list