[Openswan Users] Problems when using subnet 0.0.0.0/0

[Ruben Laban]

On Friday 29 June 2007, Милен Панков wrote:
> Ruben Laban написа:
> > On Friday 29 June 2007, Милен Панков wrote:
> >> This somekind worked. SNAT and DNAT is working and the connectivity
> >> between the offices is working, but it is very slow and gives a lot of
> >> timeouts. For example if someone in office 1 tries to set a Remote
> >> Desktop Connection to a PC in office 3 it takes about 5-10 minutes just
> >> to log in or ends with a connection timeot. Everything works fine if I
> >> revert to the old configuration.
> >> So I'm missing something, but I can't figure out what and the Wiki isn't
> >> saying anything in details. Any help is appriciated.
> >
> > This sounds like a MTU issue. Depending on the ipsec stack you are using
> > (NETKEY or KLIPS), there are various ways to get around this issue. Using
> > overridemtu in the config is one (for KLIPS only) or use iptables to
> > alter the MSS for those packets (for both KLIPS and NETKEY).
> >
> > Regards,
>
> I'm using NETKEY, so I changed the MTU directly on the public interface
> of the gateway in office 3 - I tried values from 1440 to 500, but this
> did not help.

You could give iptables a try. Something in the order of:
iptables -A FORWARD -p tcp --syn -j TCPMSS --set-mss 1300

If possible you should run a tcpdump on both end of the tunnel to see if its 
actually a MTU issue (big packets sent from one side not arriving at the 
other side).

HTH,
-- 
Ruben