[Openswan Users] missing packets

Alonso Manilla alonso.manilla at gmail.com
Fri May 10 14:42:27 UTC 2013 

Trying with your rule send a message in dmesg: xt_TCPMSS: Only works on TCP
SYN packets

then I found this page: http://c3tech.com.ar/blog/?p=327

with this I set this rule

iptables -I POSTROUTING -t nat -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu

This works perfect now.

Thanks for your help.


--
Alonso Manilla


2013/5/9 Leto <letoams at gmail.com>

>
> You have am mtu problem: try:
>
> iptables -I FORWARD -p tcp -j TCPMSS --clamp-mss-to-pmtu
>
>
>
> sent from a tiny device
>
> On 2013-05-09, at 13:56, Alonso Manilla <alonso.manilla at gmail.com> wrote:
>
> Hi,
>
> I have a vpn up from a linux (ubuntu 12.04 kernel 3.2) to a stonegate
> provider with this ipsec.conf:
>
> ################ /etc/ipsec.conf ###################
> version 2.0
> config setup
> plutoopts="--perpeerlog"
> dumpdir=/var/run/pluto/
> nat_traversal=yes
>  virtual_private=%v4:128.9.0.0/16,%v4:172.XX.XX.XX/32
> oe=off
>  protostack=netkey
> plutostderrlog=/var/log/debug/pluto.log
> interfaces=%defaultroute
> conn burocredito
>         type=tunnel
> ######### ubuntu
>         left=85.YY.YYY.YYY
>         leftsubnet=172.XX.XX.XX/32 <http://172.22.11.10/32>
>         leftnexthop=%defaultroute
> ######### stonegate
>         right=200.76.208.137
>         rightid=128.100.100.1
>         rightsubnet=128.9.0.0/16
>         rightnexthop=%defaultroute
>         pfs=yes
>         auto=start
>         ike=3des-md5;modp1024
>         keylife=60m
>         authby=secret
>         ikelifetime=1440m
>         esp=3des-md5
>         compress=no
>         forceencaps= yes
>
>
> I send a ping and its ok, but when I send a telnet info I lost the answer
> from the stonegate.
>
> Using tcpdump I can see the data (xml for webservices) is there but I
> can't forward to browser (webservices) or to console (telnet), this is what
> I get:
>
> 11:49:33.139349 IP 128.9.55.102.9080 > 172.XX.XX.XX.53442: Flags [.], ack
> 1939285834, win 54, options [nop,nop,TS val 3424378112 ecr 26675747],
> length 0
> E..4.. at .>.... 7f...
> #x....|.s.'J...6.......
> ......
> #
> 11:49:36.687277 IP 128.9.55.102.9080 > 172.XX.XX.XX.53464: Flags [S.], seq
> 3217152997, ack 1868879689, win 5792, options [mss 1460,sackOK,TS val
> 3424381659 ecr 26676634,nop,wscale 7], length 0
> E..<.. at .>..,. 7f...
> #x......od.I....%..........
> ......
> 11:49:36.871684 IP 128.9.55.102.9080 > 172.XX.XX.XX.53464: Flags [.], ack
> 183, win 54, options [nop,nop,TS val 3424381818 ecr 26676674], length 0
> E..40. at .>.... 7f...
> #x......od.....6i......
> ...z..
> 11:49:37.010269 IP 128.9.55.102.9080 > 172.XX.XX.XX.53464: Flags [P.], seq
> 1449:2381, ack 183, win 54, options [nop,nop,TS val 3424381862 ecr
> 26676674], length 932
> E...0. at .>.... 7f...
> #x......od.....6.......
> .tput message="tns:consultaXMLResponse">
>     </output>
>     </operation>
>   </portType>
>   <binding name="WSConsultaPortBinding" type="tns:WSConsultaDelegate">
>     <soap:binding style="document" transport="
> http://schemas.xmlsoap.org/soap/http"/>
>     <operation name="consultaCC">
>       <soap:operation soapAction=""/>
>       <input>
>         <soap:body use="literal"/>
>       </input>
>       <output>
>         <soap:body use="literal"/>
>       </output>
>     </operation>
>     <operation name="consultaXML">
>       <soap:operation soapAction=""/>
>       <input>
>         <soap:body use="literal"/>
>       </input>
>       <output>
>         <soap:body use="literal"/>
>       </output>
>     </operation>
>   </binding>
>   <service name="WSConsultaService">
>     <port name="WSConsultaPort" binding="tns:WSConsultaPortBinding">
>       <soap:address location="
> http://128.9.55.102:9080/WSConsultaBCC/WSConsultaService"/>
>     </port>
>   </service>
> </definitions>
>
>
> 11:49:37.010488 IP 128.9.55.102.9080 > 172.XX.XX.XX.53464: Flags [FP.],
> seq 2381:2386, ack 183, win 54, options [nop,nop,TS val 3424381864 ecr
> 26676674], length 5
> E..90. at .>.... 7f...
> #x.....2od.....6.......
> .0....
>
>
> 11:50:06.868990 IP 128.9.55.102.9080 > 172.XX.XX.XX.53464: Flags [.], ack
> 184, win 54, options [nop,nop,TS val 3424411845 ecr 26684178], length 0
> E..40. at .>.... 7f...
> #x.....8od.....6.......
> ..`...+.
>
>
> I just try with iptables (I'm not an expert) to forward but I don what
> else need to make it works.
>
>
> Can you help me please to find a solution?
>
> --
> Alonso Manilla
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130510/8920d4fa/attachment.html>

More information about the Users mailing list