[Openswan Users] openswan vs freeswan
Massimo Mazzoldi
mmazzoldi at direte.it
Mon Mar 27 11:37:02 CEST 2006
A few years ago we put at work a network with multiple VPN tunnels to a central
security gateway.
Every tunnel was based on Freeswan 1.99.
Everything is still working right.
Now we're expanding the network with new security gateway based on Openswan
2.4.4 with kernel 2.4.x.
All Openswan PC's connect to the central gateway with Freeswan.
I had no trouble having the VPN tunnels getting up...
yet I get ICMP messages about fragmentation error (needed packet fragementation)
I already set up iptables with mss-clamp... as in other freeswan machines...
yet the error stays there.
The weird thing is that packets are going throught the tunnel anyway... even if
fragmentation is needed.
I found a guy with my same problem here:
http://groups.google.com/group/comp.os.linux.networking/browse_thread/thread/5190f3ff256992ae/956415e56fc67549?lnk=st&q=openswan+mtu+problem&rnum=1&hl=it#956415e56fc67549
but there was no solution.
Now I just turned it off with fragicmp=0;
from man ipsec.conf
________
fragicmp
whether a tunnel's need to fragment a packet should be reported back with an
ICMP message, in an attempt to make the sender lower his PMTU estimate;
acceptable values are yes (the default) and no.
_________
and now it seems working right.... and actually better... since no
fragmentation error is returned...
has anyone experience on how to handle my problem?
------------------------------------------------------
Ing. Massimo Mazzoldi
Responsabile Tecnico, Ricerca & Sviluppo
Cell 335 7886689
DiRete sc
Via G. Di Vittorio 85, 25010 Desenzano del Garda (BS)
P.IVA ed iscrizione Registro Imprese di BS: 02452020981
Iscrizione all'albo delle società cooperative: A139218
Tel. 030.2056109
Fax: 030.9902701
------------------------------------------------------
More information about the Users
mailing list