[Openswan Users] MTU problems - Openswan to freeswan

Cameron Davidson cam73 at aanet.com.au
Sun May 28 04:53:10 CEST 2006

I don't understand how MTU issues within openswan are supposed to be 
resolved, and the problem for me is that they are not.
A vpn over mtu=1500 connections reports a tunnel mtu of 1428 (via icmp 
reply to big ping packet),
while a link between an mtu=1500 site and one with mtu=1492 reports the 
tunnel mtu is 1444.

For a long time I have had a 3-way vpn setup running between two adsl 
gateway boxes (call them A and B, which started as RH7.3) running 
various versions of superfreeswan and openswan v1, on various 2.4 
kernels. The third gateway (C) on cable is a Snapgear Lite+ v1.7.12.
Initially they all ran on links that were mtu=1500, and everything was 
These are all subnet-subnet tunnels.
Recently I upgraded A and B to Centos 4.3, and openswan to 2.4.5 (using 
the netkey kernel IPSEC code).
I upgraded A first and it was able to establish a good vpn link to B, 
after a bit of tinkering with the config files. This link uses X509 
Then I upgraded B and got that link working again.

Now, the snapgear link has been unreliable because the cable operators 
have been changing IP address, even the nexthop address, at increasing 
frequencies, and the owner decided to go to adsl with a static IP, but 
is required to use PPPoE, using the client inside the snapgear. So the 
snapgear knows its wan port has mtu=1492, but the vpn mtu is set to 1444.
Any ping packet I send  from A to C (or B to C), with raw packet size 
between 1439 and 1444 gets encrypted as an ESP packet between 1493 and 
1500 bytes.  These cause an icmp fragmentation-needed reply from C's 
nexthop router, which seems to be ignored by  everything at end A.

I suppose I could use the overridemtu option, without actually losing 
any capacity, but I don't understand why it is getting it wrong.

One complicating factor was that I had to rebuild kernels on both Centos 
systems - A did not have my ethernet card, and B paniced in SMP mode.
System A now has a standard kernel, and B has a rebuilt, 
stripped down rebuild of the Centos kernel 2.6.9-34.  There is always a 
chance I've left out something vital, but I can't see anything obvious.


More information about the Users mailing list