[Openswan Users] PMTU issues

David L. Cathey davidc at montagar.com
Thu May 22 11:14:33 EDT 2008

Having some issues service NFS disks over a VPN, and it only appears to
effect some of the VPN clients.  The main server is running Openswan: 

# ipsec --version
Linux Openswan U2.4.9/K2.6.24.4-64.fc8 (netkey)
uname -a
Linux iptables #1 SMP Sat Mar 29 09:54:46 EDT 2008 i686
athlon i386 GNU/Linux

The remote side is a SonicWall TZ150 with authentication using 3rd party
digital certificates which I've created.

Tunnel comes up great, and everything seems okay until they login, and
then the system freezes.  'df' hangs when trying to get info on the NFS
mount, and any further access to the NFS disk hangs.  I've tried
switching to udp, and setting the rsize/wsize, to limited effect.

The SonicWall has the 'handle fragmentation' set, and I've tried
toggling the "Ignore DF" to no effect.  Reducing the MTU for client eth0
to 1400 appeared to help some, but there were still problems.  The
OpenSwan side has ICMP fragmentation-needed fully enabled across all
interfaces, but iptables -L -v doesn't seem to log any counts of them,
not have I seen any via tcpdump.

So far, the only thing that seems to have helped is setting
net.ipv4.ip_no_pmtu_disc=1 and avoiding PMTU altogether.

The client that has the most problem is on a cable modem.  DSL clients
appear to work much better.

Anyone else seem problems like this, and found another solution to pmtu
issues?  I'm willing to keep this configuration, but it's just another
thing to have to remember to set up, since pmtu discovery is the default
network setting.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
David L. Cathey                      |Inet: davidc at montagar.com
Montagar Software, Inc.              |Fone: (972)-423-5224
P. O. Box 260772, Plano, TX 75026    |http://www.montagar.com

More information about the Users mailing list