[Openswan Users] KLIPS MTU problem

Paul Overton paul at trusted-management.com
Wed Jun 29 06:50:14 EDT 2011 

Paul,

Many thanks for your reply and that of Roel.

I can confirm that protostack=klips is configured, and that the servers in question were using klips. 

I have done some tests using 2.6.31, 2.6.33 and 2.6.34.

From what I see, the overridemtu= setting works up to 2.6.31.

2.6.33 ignores both mtu= within the connection specific settings and overridemtu= as a global setting.

2.6.34 sets the route specific MTU by using iproute2, but seems to ignore the overridemtu setting.

I note that when using versions 2.6.31 or earlier, the MTU of the ipsecx interface is set when klips starts up if the overridemtu directive is set. In Versions 2.6.33 and 2.6.34 the MTU of the ipsecx interface does not change even if overridemtu is set.

Regards Paul

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: 28 June 2011 15:48
To: Paul Overton
Cc: users at openswan.org
Subject: Re: [Openswan Users] KLIPS MTU problem

On Tue, 28 Jun 2011, Paul Overton wrote:

> I have been using openswan for a number of years and generally have no issues with stability etc.
> 
> However I have one location where NAT-T and fragmentation are an issue. The host network provides a 1:1 NAT with a real world IP address for all clients (This is a
> business centre). The Business centre external firewall blocks and drops all fragmented frames at 1420 bytes.
> 
> In Openswan (KLIPS) I have used the “overridemtu=” setting to produce a tunnel which never allows the UDP encap frames to fragment, however I have found that
>  opensewan 2.6.33 ignores this directive.
> 
> Has this command been removed, negated or replaced ?

Not intentionally. Are you perhaps using the mast stack by accident? Set protostack=klips to ensure
you are using klips and not mast. Also if possible, use openswan 2.6.34.

If you still have the issue, do you see a "fixup mtu" line on startup?

Paul

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by Trusted Management Limited, and is
believed to be clean.

More information about the Users mailing list