[Openswan Users] Phase 1 hangs

Michael Smith msmith at cbnco.com
Fri Aug 13 09:45:41 EDT 2010

Erich Titl wrote:

> Looking at the packets on the central host, it is obvious that the
> fragmented packet from one site gets reassembled whereas the one from
> the failing site does not even arrive. It looks like someone in the
> middle drops the second packet.

I've seen ISPs do terrible things with large UDP packets. One of them 
even cut the last 8 bytes off the first fragment.

How much control do you have over the client? You could drop the MTU on 
the interface, or add an override route:

ip route add <central host> via <client's def gw> mtu 1300 advmss 1260


More information about the Users mailing list