[Openswan Users] Problems when using subnet

Милен Панков mpankov at vereo.bg
Tue Jul 3 07:51:48 EDT 2007

Michael Smith написа:

> Hi Milen,
> I've only rarely seen MTU problems with Openswan 2.4.x and NETKEY. As far 
> as I can tell, the only common factors were either:
> 1) the tunnel had a subnet;
> 2) or, some other tunnel on the gateway had subnet
> I think I last saw this with Openswan 2.4.7 on kernel It was 
> also present in 2.4.4 +
> Sometimes only Windows boxes would be affected -- they would receive ICMP 
> fragmentation needed messages but for some reason ignore them. Other times 
> both Windows and Linux would fail to reduce packet size because 
> the ICMP messages were dropped by one of the IPsec gateways (sorry, I 
> forget which).
> I think reducing the MTU on the public interface wouldn't help - it'll 
> only increase the need for fragmentation. Try the iptables MSS trick, it 
> might work.
> If you control the servers and clients on both ends, you can try adding 
> static routes with smaller MTU on each of them:
> ip route add via mtu 1300
> You could look for an iptables mangle target that could strip the "don't 
> fragment" bit on packets.
> Maybe you could try KLIPS, it might work differently. (With Openswan 1.0.6 
> at least it ignored the DF bit on packets, so they would always be 
> fragmented at the IPsec gateway if required.)
> Mike

Hi and thanks for the answers.

I as wrote in my previous message I mannaged to fix the things with this
I am courious though how it is possible to do this with routing rules. I
tried many things, but didn't managed to get some of them working.



More information about the Users mailing list