[Openswan Users] MySQL over Openswan VPN tunnel

Simon Deziel simon at xelerance.com
Thu Feb 13 08:45:26 EST 2014


Hi Christopher,

I just re-read your first message and noticed you are on Amazon which is
notorious to block ICMP and ESP by default.

Recommendations of things to tweak:

* Allow ICMP in the Security Groups of both sides
* Allow ICMP on both VMs (if using firewall)
* If using host to host IPsec, use transport mode instead of tunnel
* If on a VPC (as opposed to EC2), allow ESP in the Security Groups

Once you have a path between the 2 VMs that is clear for ICMP, the
clamp-mss-to-pmtu will start working.

HTH,
Simon

On 14-02-12 10:47 PM, Simon Deziel wrote:
> Oups, sorry, this one should not complain:
> 
>  iptables -t mangle -I POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j
> TCPMSS --clamp-mss-to-pmtu
> 
> On 14-02-12 06:56 PM, Christopher Slagel wrote:
>> Responds with the following:
>>
>> [root at noxmail1 ~]# iptables -I OUTPUT -p tcp -j TCPMSS --clamp-mss-to-pmtu
>> iptables: Invalid argument. Run `dmesg' for more information.
>>
>>
>>
>>
>>
>> On 2/12/14, 3:25 PM, "Simon Deziel" <simon at xelerance.com> wrote:
>>
>>> You can try this:
>>>
>>>  iptables -I OUTPUT -p tcp -j TCPMSS --clamp-mss-to-pmtu
>>>
>>>
>>>
>>>
>>> On 14-02-12 06:17 PM, Christopher Slagel wrote:
>>>> Simon, as an update, it looks like it’s BETTER but still having some
>>>> problems.  Small queries are now working, but anything over 1 row still
>>>> seems to hang.  I’ve tried lowering the MTU a bit more a couple times
>>>> and
>>>> still no luck.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 2/12/14, 12:56 PM, "Simon Deziel" <simon at xelerance.com> wrote:
>>>>
>>>>> You can first try with running "sudo ifconfig eth0 mtu 1400" directly
>>>>> on
>>>>> the console. This setting will not survive a reboot of course.
>>>>>
>>>>> On 14-02-12 03:53 PM, Christopher Slagel wrote:
>>>>>> Thanks Simon.  Through some research I found that that might be the
>>>>>> issue,
>>>>>> and I¹ve tried editing our /etc/sysconfig/network-scripts/ifcfg-eth0
>>>>>> files
>>>>>> and messing with the MTU (adding MTU=³xyz²), but don¹t seem to be
>>>>>> having
>>>>>> any success.  Is there another way I should try messing with the MTU?
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 2/12/14, 12:50 PM, "Simon Deziel" <simon at xelerance.com> wrote:
>>>>>>
>>>>>>> Hi Christopher,
>>>>>>>
>>>>>>> The problem you describe could well be related to a MTU issue. I'd
>>>>>>> try
>>>>>>> setting a MTU of say 1400 and see if things start working.
>>>>>>>
>>>>>>> HTH,
>>>>>>> Simon
>>>>>>>
>>>>>>> On 14-02-12 03:38 PM, Christopher Slagel wrote:
>>>>>>>> We have a VPN tunnel with Openswan between two AWS regions and our
>>>>>>>> colo
>>>>>>>> facility (Used AWS¹s
>>>>>>>> guide: http://aws.amazon.com/articles/5472675506466066).  Regular
>>>>>>>> usage
>>>>>>>> works OK, but we are having some MySQL issues over the tunnel
>>>>>>>> between
>>>>>>>> all areas.  Using mysql command line client on a linux server works,
>>>>>>>> but
>>>>>>>> trying to connect using the MySQL Connector J it basically stallsŠ
>>>>>>>> it
>>>>>>>> seems to open the connection, but then gets stuck.  It doesn't get
>>>>>>>> denied or anything, just hangs there.  Logging isn¹t picking up
>>>>>>>> anything
>>>>>>>> at all and usually very verbose about errors.  Any input as to what
>>>>>>>> we
>>>>>>>> can do to fix this/improve the connections would be appreciated.
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Users at lists.openswan.org
>>>>>>>> https://lists.openswan.org/mailman/listinfo/users
>>>>>>>> Micropayments:
>>>>>>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>>>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>>>>>>
>>>>>>>>
>>>>>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283
>>>>>>>> 15
>>>>>>>> 5
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Users at lists.openswan.org
>>>>>>> https://lists.openswan.org/mailman/listinfo/users
>>>>>>> Micropayments:
>>>>>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>>>>>
>>>>>>>
>>>>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
>>>>>>> 55
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
> 



More information about the Users mailing list