[Openswan Users] Problems when using subnet 0.0.0.0/0
Милен Панков
mpankov at vereo.bg
Tue Jul 3 07:50:33 EDT 2007
Ruben Laban написа:
>> Ruben Laban написа:
>>> This sounds like a MTU issue. Depending on the ipsec stack you are using
>>> (NETKEY or KLIPS), there are various ways to get around this issue. Using
>>> overridemtu in the config is one (for KLIPS only) or use iptables to
>>> alter the MSS for those packets (for both KLIPS and NETKEY).
>>>
>
> You could give iptables a try. Something in the order of:
> iptables -A FORWARD -p tcp --syn -j TCPMSS --set-mss 1300
>
> If possible you should run a tcpdump on both end of the tunnel to see if its
> actually a MTU issue (big packets sent from one side not arriving at the
> other side).
>
> HTH,
Hi again,
After I wrote the last message where I was pretty sure this wasn't a MTU
issue I've spend couple of days of tests and tracing the problem.
Last time I tested with tcpdump I issued the tcpdump with "| grep ESP",
because I'm stupid. After full dump it appears it is a MTU issue - there
are a lot of messages like this:
----
IP 192.168.7.1 > 192.168.7.21: ICMP 192.168.168.41 unreachable - need to
frag (mtu 1428), length 56
----
I tried changing the version of OpenSWan upgrading and downgrading -
didn't work. After that tried with the "iptables -A FORWARD -p tcp --syn
-j TCPMSS --set-mss 1300" trick on both sides - didn't work. I did spend
2 days trying different routing rules, but without success. Finally I
managed to solve the problem.
If using the schema from my first message it appears that a command like
this: "iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--set-mss 1300" issued on the gateway in office 1 sometimes might work,
sometimes not. After some testing it appears that if I issue it several
times it works after the second or third or fourth time issued. I
couldn't figure out why this is happening. The same command though
issued on the gateway in office 3 works fine without the necessity of it
being issued in office 1. The only thing I noticed it is working if
issued after all other iptables rules. If I move it up in my iptables
script it doesn't work, so I put it at the end.
So everything worked fine until I noticed that because of using
"0.0.0.0/0" as a subnet the computers in office 3 couldn't reach their
gateway, nor the gateway could reach them. It appears that openswan is
sending everything trough the tunnel. After some testing I solved the
problem with a passthrough connection I managed to setup after several
tries.
Then I accidentally deleted the iptables rule which clamps the mss, but
everything continued working as expected. I tried this several times and
for sure this passtrough connection is fixing the isuue.
The only thing is I'm not sure if I did it right as I used for left and
right the internal addresses of the gateways (didn't work with the
external) and I'm not sure if I didn't do something stupid like the
traffic between the pcs in subnet 192.168.7.0/24 going unencrypted
trough the two gateways.
This is my current setup now:
In office 1:
-------
config setup
conn main-conn
ike=aes256
authby=secret
left=a.b.c.226
leftsubnet=0.0.0.0/0
leftsourceip=192.168.168.1
leftnexthop=a.b.c.225
right=x.y.z.49
rightsubnet=192.168.7.0/24
rightsourceip=192.168.7.1
rightnexthop=x.y.z.1
auto=start
--------
In office 3:
--------
config setup
conn passthrough
right=192.168.168.1
rightsubnet=192.168.7.0/24
left=192.168.7.1
leftsubnet=192.168.7.0/24
type=passthrough
authby=never
auto=route
conn main-conn
ike=aes256
authby=secret
right=a.b.c.226
rightsubnet=0.0.0.0/0
rightsourceip=192.168.168.1
rightnexthop=a.b.c.225
left=x.y.z.49
leftsubnet=192.168.7.0/24
leftsourceip=192.168.7.1
leftnexthop=x.y.z.1
auto=add
---------
Milen
More information about the Users
mailing list