[Openswan Users] Question about fragmented UDP packets and some DSL boxes

Paul Wouters paul at xelerance.com
Tue Jun 8 08:55:43 EDT 2010


On Tue, 8 Jun 2010, alet at librelogiciel.com wrote:

> To make it work, it seems the ISP had to change the box's configuration
> to reject fragmented UDP packets, which are accepted by default by his
> box (I don't understand why such a change is needed, but this is another
> problem)

I don't understand this either.

> Unfortunately many of our future VPN users already use such a box from
> the same ISP (one of the biggest here), so there will be a lot of
> problems involving for each user at least one phone call to the ISP,
> delays, etc...
>
> Is there a solution to this problem on the openswan side, which would
> "magically" solve the problem for all the users coming from this ISP ?

Lowering the mtu on your clients public interface?

Not using x.509 but using PSK might result in smaller IKE packets too.
(though AFAIK, X.505 with 1024 bit keys should be fine)

Paul


More information about the Users mailing list