[Openswan Users] Where did routes go with Openswan 2.6.31?

Michael H. Warfield mhw at WittsEnd.com
Mon Mar 14 11:37:27 EDT 2011 

On Mon, 2011-03-14 at 11:16 -0400, Michael H. Warfield wrote: 
> On Mon, 2011-03-14 at 09:45 -0500, Greg Scott wrote: 
> > Ø  That's a problem with Windows, and most likely the bug around the number of routes with 
> > 
> > Ø  non-default MTU routes incrementing but never decrementing.  Over time, this caused Windows 
> > 
> > Ø  machines to become unresponsive over the network.
> > 
> >  
> > 
> > No. This behavior was different. I was apparently advertising the
> > default MTU size of 1500. So Windows believed me and sent 1500 byte
> > packets over the tunnel to the other end of the RDP session. But with
> > the IPSEC overhead, the highest I could support was 1440 or something
> > like that. Somewhere along the line those 1500 byte packets would get
> > fragmented and then never reconnected back together on the other end.
> > So the RDP tunnel would crash. This happened to lots of PCs. Not all,
> > but lots. The first workaround was to reduce the MTU size in one of
> > the offending PCs. This worked, but of course only for that PC. The
> > best workaround we could come up with at the time was to just lower
> > the MTU size I advertised. Thus the updown script. 
> > 
> >  
> > 
> > So now, with no traditional looking routes over the tunnel, what am I
> > advertising for MTU and will some apps that send large packets break
> > as before?

> Now THAT sounds like a PMTU discovery problem.  Are you blocking ICMP
> packets at some point, like a firewall?  If so, that's your real
> problem, and it's a very common mistake made in firewall configurations.
> You can not block all ICMP or things exactly like this will fail.  It
> will even fail with PPP (or PPPOE) links in the middle of routes.
> Anywhere the MTU is reduced will trigger this if the ICMP error return
> "HOST_UNREACH" "WOULD_FRAGMENT" is blocked from getting back to the
> sender.

> It's not that they are fragmented along the way, it's just the opposite.
> PMTU discovery works by sending a large packet (well, starts with the
> local MTU) with the "DF" (Don't Fragment) flag set.  If it gets an ICMP
> error back, it reduces its effective MTU and tries again.  If it doesn't
> get an error, it assumes the packet got there and sticks with that MTU.
> If you block that ICMP, the connection breaks by timing out when the
> packets are dropped and the error ignored because the error never gets
> to the sender.

> This is not an Openswan problem at all.  This is most likely a firewall
> configuration error at some point somewhere, IMHO.

I should have added...  There are tools on both Windows and Linux to
test for this including traceroute --mtu and tracepath.  More
information here:

http://packetlife.net/blog/2008/aug/18/path-mtu-discovery/

> > -          Greg
> 
> Regards,
> Mike

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20110314/03a1b2c4/attachment.bin

More information about the Users mailing list