[Openswan Users] "The Internet as a big subnet" issue again

Милен Панков mpankov at vereo.bg
Wed Dec 19 08:22:56 EST 2007

Милен Панков написа:
> Hi,
> Some time ago I discussed here a configuration of openswan to openswan
> using "The Internet as a big subnet"
> (http://wiki.openswan.org/index.php/Openswan/TheInternetAsABigSubnet).
> My configuration was like that:
> On point A
> conn main
>     left=a.b.c.d
>     leftsubnet=
>     leftsourceip=
>     leftnexthop=
>     leftrsasigkey=
>     right=w.x.y.z
>     rightsubnet=
>     rightsourceip=
>     rightnexthop=
>     rightrsasigkey=
>     auto=start
> On point B
>     conn main
>         right=a.b.c.d
>         rightsubnet=
>         rightsourceip=
>         rightnexthop=
>         rightrsasigkey=
>         left=w.x.y.z
>         leftsubnet=
>         leftsourceip=
>         leftnexthop=
>         leftrsasigkey=
>         auto=start
> I than run into some problems. First - almost nothing was passing
> through the tunnel because of packet fragmentation. On both points
> tcpdump showed something like this:
> IP > ICMP unreachable - need to frag
> (mtu 1428), length 55
> The second problem was that PCs from subnet didn't see
> their gateway, because all the truffic was going through the
> tunnel. I managed to fix both issues adding a passtrough connection on
> point B:
> conn passthrough
>     right=
>     rightsubnet=
>     left=
>     leftsubnet=
>     type=passthrough
>     authby=never
>     auto=route
> This configuration works very fine for almost an year. Until couple of
> days ago I ran into another problem which I can not fix.
> The issue is that sometimes computers from point B can not access
> certain resources on internet. I noticed that this occurs always when
> the packets have flag "Don't Fragment". On point B tcpdump doesn't say
> anything unusual, but on point A tcpdump shows a lot output like this
> when innitiating such a connection:
> IP a.b.c.d > the_ip_on_internet_being_accessed: ICMP a.b.c.d unreachable
> - need to frag (mtu 1428), length 556
> IP a.b.c.d > the_ip_on_internet_being_accessed: ICMP a.b.c.d unreachable
> - need to frag (mtu 1428), length 556
> Other connections from point B to internet work fine.
> Connections from point B subnet to point A subnet with packets having
> "Don't Fragment" flag also work fine.
> Anyone who can help?
> Thanks

Hi again,

I managed to fix this by issuing the following on point B:
iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –set-mss 1300
For some reason (may be related only to my iptables commands) this works
only if it's last in the iptables script.
I'll have to figure out if it is possible to apply the rule only for
traffic between and

Is there anyone more experienced with openswan who can revise this kind
of setup and tell if there's anything wrong with it. I'm asking because
I found so many posts on internet with the same problems, but no
solutions. If the setup is OK and I didn't mess something (the thing I'm
concerned is if this passthrough connection is correct) than may be it's
appropriate to post it in the wiki
(http://wiki.openswan.org/index.php/Openswan/TheInternetAsABigSubnet) as
an example.



Milen Pankov

More information about the Users mailing list