[Openswan Users] MTU question

Paul Wouters paul at xelerance.com
Mon Jun 26 20:32:05 CEST 2006


On Mon, 26 Jun 2006, Jeremy Mann wrote:

> Quick general question.  If I have set the MTU of all my site-to-site
> tunnels to 1492 and enabled forwarding(obviously) is the linux box smart
> enough to handle clients on either end having an MTU of 1500?
>
> Quick ASCII scenario
>
> Client1(MTU 1500)<----->Openswan A(MTU 1492)<---->Openswan B(MTU
> 1492)<---->Client2(MTU 1500)
>
> If the answer is yes, why would I see large packets kill connectivity
> between client1 and client2?  Specifically Clients 1 and 2 are XP
> machines, and the traffic is VNC or RDP.  It seems that I can ping them
> fine, I can even do smb traffic, just that RDP or VNC kill connectivity.

It is not so much openswan that needs to understand the situation. The
client machines with mtu=1500 should detect that the gateway can only
do 1492, and through PMTU discovery should lower their MTU.

Though the openswan machines have two interfaces here, internal and
external. The internal mtu could still be 1500, the packets would get
encrypted and then sent over the ipsec tunnel (and I guess would get
fragmented, but that should be okay).

If these are older openswan versions, you can try adding fragicmp=yes if
using KLIPS.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list