[Openswan Users] VPN connection established but ...

Robert Laverick robert+vpn at scabserver.com
Mon Nov 12 18:04:10 EST 2012

You mentioned you had changed from using a netgear router to something
else, it sounds like a configuration difference which is causing you
MTU issues, it could be changes from using pppoa to pppoe (which
reduces MTU from 1500 to 1492) or it could be the case that it always
was < 1500 and it's now simply a firewall/configuration issue which is
blocking the ICMP packets which are sent to negotiate smaller MTU
sizes as Willie Gillespie suggested.

With the ping command you used as part of your diagnosis the reason
it's not showing an issues is you have to issue a separate argument to
set the DF (Don't Fragment) bit on the ping packet to detect MTU
limits, for linux try:

ping -M do -s 1472 <some IP address>

and work down till it gets through (remember that the ICMP packet has
an overhead of 28 bytes to what ever number you bottom out at hence
starting at 1500 - 28)

Even if this doesn't answer the questions as to why the fragmentation
is failing, it might help you find a more reasonable limit than the
576 you're using now, but you should really look into the cause of the
fragmentation issues as it's probably hurting your network performance
in other ways.

On 12 November 2012 19:18, TheCajun <thecajun at nmia.com> wrote:
> Well I changed th mtu on the linux machine at home (one running openswan)
> to 576 and it appears to have fixed the problem.  So now my question is.
> Why did everything work with the netgear vpn with the default mtu of
> 1500?  And, why does it work with default of 1500 from home to office
> and not from office to home using openswan?
> Thank you very much.  This has been a puzzle for me and I spent many
> days on this.

More information about the Users mailing list