[Openswan Users] L2TP/IPsec fragmentation?

Tom Robinson tom.robinson at motec.com.au
Wed Jun 22 22:29:13 EDT 2011


CentOS release 5.6 (Final)
Linux Openswan U2.6.33/K2.6.18-238.12.1.el5 (netkey)
xl2tpd version:  xl2tpd-1.2.6

Hi,

I have a set-up with several Windows (XP, Windows 7) roadwarriors
connecting via L2TP/IPsec VPN. All works fine until a few days ago. Some
users can still connect but it seems packets are getting fragmented
disallowing access to some services on the VPN (e.g. some samba shares,
POP mail accounts via Outlook).

Part of my debugging problem is the roadwarriors use all kinds of
different service providers to connect (3G USB modems, 3G Mobiles, Home
internet plans, Hotel wifi, etc...).

I have set some client registry settings to do PMTU and PMTU Black Hole
detection. On the server I have enabled ICMP and also set
net.ipv4.tcp_mtu_probing = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUBHDetect
= 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery
= 1

options.xl2tpd had mtu 1372 and mru 1372.

On the Windows client I see the VPN interface MTU being set to 1372
(using c:\> netsh interface ipv4 show interfaces)

When I lower the mtu and mru to 1280 many of the issues went away but I
still see some fragmentation. The client reflects that change in it's
VPN MTU also being set to 1280.

My questions are: What is the recommended setting and can I go any
lower? Is there any other issue I'm overlooking. Config files provided
on request.

Regards

-- 

Tom Robinson
System Administrator

MoTeC

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051   
E: tom.robinson at motec.com.au

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110623/290d55dc/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: MoTeC Logo Master RGB.gif
Type: image/gif
Size: 40856 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20110623/290d55dc/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20110623/290d55dc/attachment-0001.bin 


More information about the Users mailing list