[Openswan Users] openswan vs freeswan

Massimo Mazzoldi mmazzoldi at direte.it
Mon Mar 27 11:37:02 CEST 2006

A few years ago we put at work a network with multiple VPN tunnels to a central
security gateway.
Every tunnel was based on Freeswan 1.99.

Everything is still working right.

Now we're expanding the network with new security gateway based on Openswan
2.4.4 with kernel 2.4.x.
All Openswan PC's connect to the central gateway with Freeswan.

I had no trouble having the VPN tunnels getting up...
yet I get ICMP messages about fragmentation error (needed packet fragementation)

I already set up iptables with mss-clamp... as in other freeswan machines...
yet the error stays there.

The weird thing is that packets are going throught the tunnel anyway... even if
fragmentation is needed.

I found a guy with my same problem here:


but there was no solution.

Now I just turned it off with fragicmp=0;

from man ipsec.conf
whether a tunnel's need to fragment a packet should be reported back with an
ICMP message, in an attempt  to  make  the sender lower his PMTU estimate;
acceptable values are yes (the default) and no.

and now it seems working right.... and actually better... since no
fragmentation error is returned... 

has anyone experience on how to handle my problem?

Ing. Massimo Mazzoldi
Responsabile Tecnico, Ricerca & Sviluppo
Cell 335 7886689
DiRete sc
Via G. Di Vittorio 85, 25010 Desenzano del Garda (BS)
P.IVA ed iscrizione Registro Imprese di BS: 02452020981
Iscrizione all'albo delle società cooperative: A139218
Tel. 030.2056109 
Fax: 030.9902701

More information about the Users mailing list