[Openswan Users] Problems when using subnet 0.0.0.0/0

Милен Панков mpankov at vereo.bg
Tue Jul 3 07:50:33 EDT 2007


Ruben Laban написа:

>> Ruben Laban написа:
>>> This sounds like a MTU issue. Depending on the ipsec stack you are using
>>> (NETKEY or KLIPS), there are various ways to get around this issue. Using
>>> overridemtu in the config is one (for KLIPS only) or use iptables to
>>> alter the MSS for those packets (for both KLIPS and NETKEY).
>>>
> 
> You could give iptables a try. Something in the order of:
> iptables -A FORWARD -p tcp --syn -j TCPMSS --set-mss 1300
> 
> If possible you should run a tcpdump on both end of the tunnel to see if its 
> actually a MTU issue (big packets sent from one side not arriving at the 
> other side).
> 
> HTH,

Hi again,

After I wrote the last message where I was pretty sure this wasn't a MTU
issue I've spend couple of days of tests and tracing the problem.
Last time I tested with tcpdump I issued the tcpdump with "| grep ESP",
because I'm stupid. After full dump it appears it is a MTU issue - there
are a lot of messages like this:
----
IP 192.168.7.1 > 192.168.7.21: ICMP 192.168.168.41 unreachable - need to
frag (mtu 1428), length 56
----
I tried changing the version of OpenSWan upgrading and downgrading -
didn't work. After that tried with the "iptables -A FORWARD -p tcp --syn
-j TCPMSS --set-mss 1300" trick on both sides - didn't work. I did spend
2 days trying different routing rules, but without success. Finally I
managed to solve the problem.
If using the schema from my first message it appears that a command like
this: "iptables  -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--set-mss 1300" issued on the gateway in office 1 sometimes might work,
sometimes not. After some testing it appears that if I issue it several
times it works after the second or third or fourth time issued. I
couldn't figure out why this is happening. The same command though
issued on the gateway in office 3 works fine without the necessity of it
being issued in office 1. The only thing I noticed it is working if
issued after all other iptables rules. If I move it up in my iptables
script it doesn't work, so I put it at the end.
So everything worked fine until I noticed that because of using
"0.0.0.0/0" as a subnet the computers in office 3 couldn't reach their
gateway, nor the gateway could reach them. It appears that openswan is
sending everything trough the tunnel. After some testing I solved the
problem with a passthrough connection I managed to setup after several
tries.
Then I accidentally deleted the iptables rule which clamps the mss, but
everything continued working as expected. I tried this several times and
for sure this passtrough connection is fixing the isuue.
The only thing is I'm not sure if I did it right as I used for left and
right the internal addresses of the gateways (didn't work with the
external) and I'm not sure if I didn't do something stupid like the
traffic between the pcs in subnet 192.168.7.0/24 going unencrypted
trough the two gateways.
This is my current setup now:

In office 1:
-------
config setup

conn main-conn
       ike=aes256
       authby=secret
       left=a.b.c.226
       leftsubnet=0.0.0.0/0
       leftsourceip=192.168.168.1
       leftnexthop=a.b.c.225
       right=x.y.z.49
       rightsubnet=192.168.7.0/24
       rightsourceip=192.168.7.1
       rightnexthop=x.y.z.1
       auto=start
--------

In office 3:
--------
config setup

conn passthrough
       right=192.168.168.1
       rightsubnet=192.168.7.0/24
       left=192.168.7.1
       leftsubnet=192.168.7.0/24
       type=passthrough
       authby=never
       auto=route

conn main-conn
       ike=aes256
       authby=secret
       right=a.b.c.226
       rightsubnet=0.0.0.0/0
       rightsourceip=192.168.168.1
       rightnexthop=a.b.c.225
       left=x.y.z.49
       leftsubnet=192.168.7.0/24
       leftsourceip=192.168.7.1
       leftnexthop=x.y.z.1
       auto=add
---------


Milen


More information about the Users mailing list