[Openswan Users] "The Internet as a big subnet" issue again

Милен Панков mpankov at vereo.bg
Tue Dec 18 08:25:16 EST 2007


Hi,

Some time ago I discussed here a configuration of openswan to openswan
using "The Internet as a big subnet"
(http://wiki.openswan.org/index.php/Openswan/TheInternetAsABigSubnet).

My configuration was like that:

On point A

conn main
    left=a.b.c.d
    leftsubnet=0.0.0.0/0
    leftsourceip=192.168.1.1
    leftnexthop=
    leftrsasigkey=
    right=w.x.y.z
    rightsubnet=10.1.10.0/24
    rightsourceip=10.1.10.1
    rightnexthop=
    rightrsasigkey=
    auto=start

On point B

    conn main
        right=a.b.c.d
        rightsubnet=0.0.0.0/0
        rightsourceip=192.168.1.1
        rightnexthop=
        rightrsasigkey=
        left=w.x.y.z
        leftsubnet=10.1.10.0/24
        leftsourceip=10.1.10.1
        leftnexthop=
        leftrsasigkey=
        auto=start

I than run into some problems. First - almost nothing was passing
through the tunnel because of packet fragmentation. On both points
tcpdump showed something like this:
IP 10.1.10.1 > 10.1.10.27: ICMP 192.168.1.1 unreachable - need to frag
(mtu 1428), length 55
The second problem was that PCs from subnet 10.1.10.0/24 didn't see
their gateway 10.1.10.1, because all the truffic was going through the
tunnel. I managed to fix both issues adding a passtrough connection on
point B:

conn passthrough
    right=192.168.1.1
    rightsubnet=10.1.10.0/24
    left=10.1.10.1
    leftsubnet=10.1.10.0/24
    type=passthrough
    authby=never
    auto=route

This configuration works very fine for almost an year. Until couple of
days ago I ran into another problem which I can not fix.
The issue is that sometimes computers from point B can not access
certain resources on internet. I noticed that this occurs always when
the packets have flag "Don't Fragment". On point B tcpdump doesn't say
anything unusual, but on point A tcpdump shows a lot output like this
when innitiating such a connection:
IP a.b.c.d > the_ip_on_internet_being_accessed: ICMP a.b.c.d unreachable
- need to frag (mtu 1428), length 556
IP a.b.c.d > the_ip_on_internet_being_accessed: ICMP a.b.c.d unreachable
- need to frag (mtu 1428), length 556
Other connections from point B to internet work fine.
Connections from point B subnet to point A subnet with packets having
"Don't Fragment" flag also work fine.

Anyone who can help?

Thanks

-- 

Milen Pankov


More information about the Users mailing list