[Openswan Users] Where did routes go with Openswan 2.6.31?
Willie Gillespie
wgillespie+openswan at es2eng.com
Mon Mar 14 21:56:36 EDT 2011
On 3/14/2011 9:16 AM, Michael H. Warfield wrote:
> Now THAT sounds like a PMTU discovery problem. Are you blocking ICMP
> packets at some point, like a firewall? If so, that's your real
> problem, and it's a very common mistake made in firewall configurations.
> You can not block all ICMP or things exactly like this will fail. It
> will even fail with PPP (or PPPOE) links in the middle of routes.
> Anywhere the MTU is reduced will trigger this if the ICMP error return
> "HOST_UNREACH" "WOULD_FRAGMENT" is blocked from getting back to the
> sender.
>
> It's not that they are fragmented along the way, it's just the opposite.
> PMTU discovery works by sending a large packet (well, starts with the
> local MTU) with the "DF" (Don't Fragment) flag set. If it gets an ICMP
> error back, it reduces its effective MTU and tries again. If it doesn't
> get an error, it assumes the packet got there and sticks with that MTU.
> If you block that ICMP, the connection breaks by timing out when the
> packets are dropped and the error ignored because the error never gets
> to the sender.
I had an ISP that blocked all ICMP packets once (besides echo and
echo-reply). It drove me nuts -- especially since their MTU _was_ lower
than regular Ethernet in some cases. Needless to say, I am no longer
their customer (for more reasons than just this).
Some people think they are being more secure by blocking *all* ICMP
packets -- they don't realize they are actually breaking things.
More information about the Users
mailing list