[Openswan Users] mtu problems

James Muir muir.james.a at gmail.com
Sat Jan 10 15:19:53 EST 2009

> However, this doesn't seem to solve my problem.  There is still a 
> threshold packet-size beyond which my ip packets do not make it into the 
> private network (e.g. "ping -s 1410" works but "ping -s 1411" does not).

Problem solved.

It turned out that my router was using an mtu of 1400 while eth0 was 
using an mtu of 1500.  Changing the router's mtu to 1500 fixed things. 
My guess is that openswan with netkey does not do path MTU discovery (or 
at least it does not do it correctly).

btw, I discovered that the command  ping -s SIZE  is not the most 
reliable way to determine if your tunnel has icmp fragmentation 
problems.  many machines will not reply to an icmp echo command that is 
fragmented (e.g. ping -c 2 -s 1600 yahoo.com  works, but ping -c 2 -s 
1600 google.com  does not.)

It is possible that  ifconfig eth0 mtu 1400  would also have fixed my 
problem -- if it did, I didn't notice because the machine I was trying 
to ping doesn't respond to fragmented icmp echo commands.


More information about the Users mailing list