[Openswan Users] VPN connection established but ...

Durwin thecajun at nmia.com
Mon Nov 12 18:47:11 EST 2012 

Thank you for the explanation.  I did have success at 1492.  Just out of
curiosity, I will play with that ping command.

just for information, I had and still have a Zyxel Q100 modem.  I then
had the netgear FVS114 (currently out of the picture).  That worked with
mtu at 1500.

> You mentioned you had changed from using a netgear router to something
> else, it sounds like a configuration difference which is causing you
> MTU issues, it could be changes from using pppoa to pppoe (which
> reduces MTU from 1500 to 1492) or it could be the case that it always
> was < 1500 and it's now simply a firewall/configuration issue which is
> blocking the ICMP packets which are sent to negotiate smaller MTU
> sizes as Willie Gillespie suggested.
> 
> With the ping command you used as part of your diagnosis the reason
> it's not showing an issues is you have to issue a separate argument to
> set the DF (Don't Fragment) bit on the ping packet to detect MTU
> limits, for linux try:
> 
> ping -M do -s 1472 <some IP address>
> 
> and work down till it gets through (remember that the ICMP packet has
> an overhead of 28 bytes to what ever number you bottom out at hence
> starting at 1500 - 28)

This explains why every time I droped the mtu value it droped a few
bytes more.
> 
> Even if this doesn't answer the questions as to why the fragmentation
> is failing, it might help you find a more reasonable limit than the
> 576 you're using now, but you should really look into the cause of the
> fragmentation issues as it's probably hurting your network performance
> in other ways.
> 
> On 12 November 2012 19:18, TheCajun <thecajun at nmia.com> wrote:
> > Well I changed th mtu on the linux machine at home (one running openswan)
> > to 576 and it appears to have fixed the problem.  So now my question is.
> > Why did everything work with the netgear vpn with the default mtu of
> > 1500?  And, why does it work with default of 1500 from home to office
> > and not from office to home using openswan?
> >
> > Thank you very much.  This has been a puzzle for me and I spent many
> > days on this.

-- 
reality.sys corrupted. universe halted. reboot (y/n)?

Durwin F. De La Rue <thecajun at nmia.com>

More information about the Users mailing list