[Openswan Users] Where did routes go with Openswan 2.6.31?

Willie Gillespie wgillespie+openswan at es2eng.com
Mon Mar 14 21:56:36 EDT 2011

On 3/14/2011 9:16 AM, Michael H. Warfield wrote:
> Now THAT sounds like a PMTU discovery problem.  Are you blocking ICMP
> packets at some point, like a firewall?  If so, that's your real
> problem, and it's a very common mistake made in firewall configurations.
> You can not block all ICMP or things exactly like this will fail.  It
> will even fail with PPP (or PPPOE) links in the middle of routes.
> Anywhere the MTU is reduced will trigger this if the ICMP error return
> "HOST_UNREACH" "WOULD_FRAGMENT" is blocked from getting back to the
> sender.
> It's not that they are fragmented along the way, it's just the opposite.
> PMTU discovery works by sending a large packet (well, starts with the
> local MTU) with the "DF" (Don't Fragment) flag set.  If it gets an ICMP
> error back, it reduces its effective MTU and tries again.  If it doesn't
> get an error, it assumes the packet got there and sticks with that MTU.
> If you block that ICMP, the connection breaks by timing out when the
> packets are dropped and the error ignored because the error never gets
> to the sender.

I had an ISP that blocked all ICMP packets once (besides echo and 
echo-reply).  It drove me nuts -- especially since their MTU _was_ lower 
than regular Ethernet in some cases.  Needless to say, I am no longer 
their customer (for more reasons than just this).

Some people think they are being more secure by blocking *all* ICMP 
packets -- they don't realize they are actually breaking things.

More information about the Users mailing list