[Openswan Users] MTU again (netkey fragmentation)

Cameron Davidson cam73 at aanet.com.au
Thu Mar 1 11:29:49 EST 2007

Harald Scharf wrote:
> OK. It´s me again.
> Problem: Servers, with services where fragmentation is not allowed (DF).
> In my case: 
> Client sends a query to a server (https) -> Server answers with https (DF).
> Packet arrives openswan box -> Box sends (fragment) -> Server says NO,
> and that is the end of the communication.

It shouldn't be - the server is supposed to resend the packet with a 
smaller size. That is the entire point of DF and PMTU discovery.

Most likely Benny is right - the "server" (you did say it was XP at both 
ends) is not getting the ICMP fragmentation needed messages.
Have you run wireshark on the server? Have you checked the firewalls on 
the machine receiving these messages?

> Paul: It can not be the solution to lower the MTU, and slow down LAN.
> And this will not work on services, which set DF in their packets.
According to tests I did, XP learns and saves mtu values that are 
specific to the target IP address. You do not change mtu on the LAN.

When you have asymmetrical mtu (netkey at one end, Klips at the other) 
then big pings can sometimes fail. But once one end has learned the mtu 
then MSS takes over and tcp connections work properly.

More information about the Users mailing list