[Openswan Users] Nasty MTU problem - Please Help

Brian Foddy bfoddy at visi.com
Tue Jan 13 23:42:29 EST 2009 

I have a simple 2-net Openswan setup, both running 2.6.19 on recent Mandriva 
distros and kernels (2009/2008 on 2.6.27/2.6.22).  I've been a long-time user 
of Openswan with few problems, but recently made ISP changes that forced some 
changes.


NetA --------> G1 --> internet <-- G2 <----- NetB

NetA Host=10.20.0.10 (one of several)
G1 (eth1 internal 10.20.0.1, ppp0 external (using eth0))
G2 (eth1 inernal 10.20.1.1, eth0 external via dhcp)
NetB Host=10.20.1.10 (one of several)

          
Both G1 and G2 have DSL services, but G1 is using PPPoE (Roaring Pengiun 
3.8.5) through a Motorola 3347 DSL modem in bridging mode.  G2 has a standard 
DSL modem with standard network gateway settings (no PPP).  Both networks 
work fine by themselves. 

The pppoe command options on G1 are:
pppoe -m 1412 -I eth0

Sending files from a NetA host to NetB host works fine with scp.  Sending a 
file via scp from the same NetB host back to NetA always hangs (or long ssh 
output).  If I wireshark the transfer on the G2 internal eth1 I see the 
following packets:
10.20.1.10 -> 10.20.0.10 SSHv2 packet len=1448
10.20.1.1  -> 10.20.1.10 ICMP Destination unreachable (Fragmentation needed)
10.20.1.10 -> 10.20.1.10 SSHv2 packet len-1448
10.20.1.1  -> 10.20.1.10 ICMP Destination unreachable (Fragmentation needed)
10.20.1.10 -> 10.20.0.10 SSHV2 [TCP Out-of-order] len=1386
10.20.1.10 -> 10.20.0.10 SSHv2 [TCP Out-of-order] len=62

10.20.1.10 -> 10.20.0.10 SSHV2 [TCP Out-of-order] len=1386
10.20.1.10 -> 10.20.0.10 SSHv2 [TCP Out-of-order] len=62
10.20.0.10 -> 10.20.0.10 TCP   [TCP Dup ACK]

(I have saved the whole capture and can include if its needed).
then similar repeating patterns of 1386 length packets that never make it.  
The ssh packets are flags with don't fragment.  Its clear ssh is seeing the 
attempted mtu discovery, but it doesn't seem to be low enough.

If I ping from 10.20.1.10 to 10.20.0.10, a "ping -s 1394" will get through, 
but a "ping -s 1395" wont.  Reversing the pings (from 10.20.0.10 to 
10.20.1.10), anything over 1394 will produce 
From murdock.foddy.home (10.20.0.1) icmp_seq=1 Frag needed and DF set (mtu = 
1422)
before the pings start getting through.  Interestingly, if I ssh to G2 then to 
NetB host outside the VPN (normal internet SSH), the transfers never hang.  
So it seems to only be the vpn connections having the problem.

My ipsec.conf file is below (comments and non-critical sections removed)

========================================================================
version 2.0 

# basic configuration
config setup
       nat_traversal=no
        overridemtu=1440
        protostack=netkey

conn foddy
        left=216.160.0.218  
        leftsubnet=10.20.0.0/24
        leftid=@bfoddy.homeip.net
        leftrsasigkey=0sAQNd...
        leftnexthop=%defaultroute
        leftsourceip=10.20.0.1

        right=199.120.114.184
        rightsubnet=10.20.1.0/24
        rightid=@hfoddy.homeip.net
        rightrsasigkey=0sAQN...
        rightnexthop=%defaultroute
        rightsourceip=10.20.1.1
        auto=start     
==========================================================================

I thought I found the solution with the overridemtu, but a message on startup 
says its ignored with netkey configs.

Other tidbits, G1 has 2 Intel ePro100 cards.  I found references saying the 
eepro100 module was buggy and so I forced it to use the e100 driver, no help.  
G1 has 3 nic cards, eth0 (the ppp0), eth1 (internal), and eth2 connected to a 
vlan partition on the 3347 router for 2 separate wireless nets.
Both (G1 and G2) are running Shorewall,
G1 = 4.0.13
G2 = 3.4.4

On G1, I have set /etc/shorewall/shorewall.conf CLAMPSS=Yes as suggested by 
that documentation.

How can I get this working, short of forcing all G2 traffic to a smaller MTU 
that would affect a lot more traffic than just the VPN?

Thanks,
Brian

More information about the Users mailing list