[Openswan Users] OpenSWAN NetKey MTU Problem?

Harald Scharf h.scharf at nestec.at
Tue Feb 27 14:51:23 EST 2007


Hi,

I have no ipsec0 interface in a netkey setup.
Does it help to set overridemtu or the mtu of interface eth(WAN)?

kind  regards

Harald

-----Ursprüngliche Nachricht-----
Von: Juan Pablo [mailto:jp.espino at gmail.com] 
Gesendet: Dienstag, 27. Februar 2007 20:33
An: Harald Scharf
Cc: users at openswan.org
Betreff: Re: [Openswan Users] OpenSWAN NetKey MTU Problem?

Hi,

Have you tried with a bigger MTU?, I had a similar situation and I fixed it configuring ipsec0 with MTU=16200 bytes (or something like that).

-Juan Pablo

On 2/27/07, Harald Scharf <h.scharf at nestec.at> wrote:
>
>
>
> Hi, List!
>
>
>
> We have several VPN tunnels in a ipsec mesh system.
>
> Now, I replaced an old (frees/wan) with an openswan box (current 
> release) in
>
> one location.
>
>
>
> Now, if I want to access a https server over the tunnel,
>
> I get the certificate and then, the connection breaks (timeout).
>
>
>
> tcpdump on icmp says : fragmentation needed.
>
>
>
> One detail: the destination server does not run the https himself.
>
> It is natted to another vpn (in which runs the https server).
>
>
>
> What can I try out?
>
> When I replace the openswan/netkey box with the old one (freeswan 
> 1.99),
>
> the connection works great, and without any troubles.
>
>
>
> I tried to install KLIPS (bigger MTU ?), but I can not use this, 
> because I need padlock AES
>
> patch (which is not supported by KLIPS).
>
>
>
> Any ideas?
>
>
>
> Kind regards
>
>
>
> Harald
>
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
> 55
>
>




More information about the Users mailing list