[Openswan Users] "The Internet as a big subnet" issue again
Милен Панков
mpankov at vereo.bg
Tue Dec 18 08:25:16 EST 2007
Hi,
Some time ago I discussed here a configuration of openswan to openswan
using "The Internet as a big subnet"
(http://wiki.openswan.org/index.php/Openswan/TheInternetAsABigSubnet).
My configuration was like that:
On point A
conn main
left=a.b.c.d
leftsubnet=0.0.0.0/0
leftsourceip=192.168.1.1
leftnexthop=
leftrsasigkey=
right=w.x.y.z
rightsubnet=10.1.10.0/24
rightsourceip=10.1.10.1
rightnexthop=
rightrsasigkey=
auto=start
On point B
conn main
right=a.b.c.d
rightsubnet=0.0.0.0/0
rightsourceip=192.168.1.1
rightnexthop=
rightrsasigkey=
left=w.x.y.z
leftsubnet=10.1.10.0/24
leftsourceip=10.1.10.1
leftnexthop=
leftrsasigkey=
auto=start
I than run into some problems. First - almost nothing was passing
through the tunnel because of packet fragmentation. On both points
tcpdump showed something like this:
IP 10.1.10.1 > 10.1.10.27: ICMP 192.168.1.1 unreachable - need to frag
(mtu 1428), length 55
The second problem was that PCs from subnet 10.1.10.0/24 didn't see
their gateway 10.1.10.1, because all the truffic was going through the
tunnel. I managed to fix both issues adding a passtrough connection on
point B:
conn passthrough
right=192.168.1.1
rightsubnet=10.1.10.0/24
left=10.1.10.1
leftsubnet=10.1.10.0/24
type=passthrough
authby=never
auto=route
This configuration works very fine for almost an year. Until couple of
days ago I ran into another problem which I can not fix.
The issue is that sometimes computers from point B can not access
certain resources on internet. I noticed that this occurs always when
the packets have flag "Don't Fragment". On point B tcpdump doesn't say
anything unusual, but on point A tcpdump shows a lot output like this
when innitiating such a connection:
IP a.b.c.d > the_ip_on_internet_being_accessed: ICMP a.b.c.d unreachable
- need to frag (mtu 1428), length 556
IP a.b.c.d > the_ip_on_internet_being_accessed: ICMP a.b.c.d unreachable
- need to frag (mtu 1428), length 556
Other connections from point B to internet work fine.
Connections from point B subnet to point A subnet with packets having
"Don't Fragment" flag also work fine.
Anyone who can help?
Thanks
--
Milen Pankov
More information about the Users
mailing list