[Openswan Users] MTU again (netkey fragmentation)
Harald Scharf
h.scharf at nestec.at
Wed Feb 28 09:45:17 EST 2007
Hi, List.
I analyzed the MTU problem in my openswan / netkey environment
again. Here is my summary (suggestions will be very welcome)
My setup:
Two boxes (openswan/netkey/kernel 2.6.19.1)
Windows XP on subnet 192.168.101.0/24
Windows XP on subnet 172.20.0.0/16
Fragmentation Test with ping -f under Windows.
Source is my XP in the Network 192.168.101.0/24
First try (simple routing without ipsec tunnel)
ping -l 1420 -f 172.20.0.2 <- OK
Second Try (with IPSEC Connection)
Ping -l 1420 -f 172.20.0.2 <- NOT OK
Fragmentation needed
OpenSWAN Box in my side replies with
OK21:55:01.712984 IP (tos 0xc0, ttl 64, id 43973, offset 0, flags
[none], proto: ICMP (1), length: 576) 192.168.101.75 > 192.168.101.76:
ICMP 172.20.0.1 unreachable - need to frag (mtu 1428), length 556
Third try (with IPSEC)
Flushed the Routing cache on Windows (route -f) and made a
ip route change 172.20.0.0/16 dev eth0 mtu 16230 <-Tip from
Paul on openswan List
on the ipsec box.
Ping -l 1420 -f 172.20.0.2 <- NOT OK
Fragmentation needed
Fourth try (basic routing to the internet, other gateway):
Ping -l 1420 -f any-internet-ip <-OK
Fith try (FreeSwan with KLIPS)
Ping -l 1420 -f 172.20.0.2 <- OK
So now, I have no idea, what I should do next.
I cannot use KLIPS (does not work with padlock-aes), but
in my case, a webserver produces packets, with DF set.
I read about, that KLIPS removes the DF Flag from the IP Header, before
the packet goes into the tunnel.
Why does`nt netkey?
Any ideas?
King regards
Harald
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070228/e83323b1/attachment-0001.html
More information about the Users
mailing list