[Openswan Users] Phase 1 hangs
Willie Gillespie
wgillespie+openswan at es2eng.com
Fri Aug 13 04:27:33 EDT 2010
Erich Titl wrote:
> I have verified the IKE fragmentation issue, indeed the packet gets
> fragmented. What puzzles me is that the same setup, also with a
> fragmented packet makes it from another system, although not over ppp.
>
> Looking at the packets on the central host, it is obvious that the
> fragmented packet from one site gets reassembled whereas the one from
> the failing site does not even arrive. It looks like someone in the
> middle drops the second packet.
I had a similar issue once (may be a different problem than yours
though) where the ISP was blocking ICMP messages besides pings. So
without getting the "fragmentation required, and DF flag set" message
back, the packets would just disappear into a black hole.
However, if I manually set my MTU to a lower number, then my packets
would make it through because it would realize that it had to fragment
them earlier on.
It was a messy workaround, and I no longer use that ISP -- but I wonder
if something similar is happening for you.
Willie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6456 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20100813/91a1184e/attachment.bin
More information about the Users
mailing list