[Openswan Users] mtu problems
muir.james.a at gmail.com
Sat Jan 10 15:19:53 EST 2009
> However, this doesn't seem to solve my problem. There is still a
> threshold packet-size beyond which my ip packets do not make it into the
> private network (e.g. "ping -s 1410" works but "ping -s 1411" does not).
It turned out that my router was using an mtu of 1400 while eth0 was
using an mtu of 1500. Changing the router's mtu to 1500 fixed things.
My guess is that openswan with netkey does not do path MTU discovery (or
at least it does not do it correctly).
btw, I discovered that the command ping -s SIZE is not the most
reliable way to determine if your tunnel has icmp fragmentation
problems. many machines will not reply to an icmp echo command that is
fragmented (e.g. ping -c 2 -s 1600 yahoo.com works, but ping -c 2 -s
1600 google.com does not.)
It is possible that ifconfig eth0 mtu 1400 would also have fixed my
problem -- if it did, I didn't notice because the machine I was trying
to ping doesn't respond to fragmented icmp echo commands.
More information about the Users