[Openswan Users] Tunnel up, some hosts work, others don't.
Richard Whittaker
richard at avits.ca
Thu Feb 26 13:56:08 EST 2015
On 2015-02-26 10:41, Simon Deziel wrote:
>
> This looks like PMTU issue. I'd give "iptables --clamp-mss-to-pmtu" a
> try.
>> Would I set this on my end points, or on the servers I have acting as
>> gateways?..
> I'd say both.
I set it on the gateways and the server at 192.168.64.9, and no joy. The
rules on the remote server aren't even being triggered.
root at db2:~# iptables -L -v
Chain INPUT (policy ACCEPT 126 packets, 14000 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- any any anywhere
anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 94 packets, 16657 bytes)
pkts bytes target prot opt in out source destination
root at db2:~# iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 371 packets, 37556 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 371 packets, 37556 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- any any anywhere
anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 252 packets, 37902 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 252 packets, 37902 bytes)
pkts bytes target prot opt in out source destination
root at db2:~#
The rules on the firewalls/gateways are being triggered, but it's still
not resulting in anything.
on 192.168.0.1....
root at valiant:~# iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 147K packets, 72M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 10374 packets, 3353K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 137K packets, 68M bytes)
pkts bytes target prot opt in out source destination
49 2800 TCPMSS tcp -- any any 192.168.0.0/18
192.168.64.0/18 tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 10535 packets, 3443K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 148K packets, 72M bytes)
pkts bytes target prot opt in out source destination
root at valiant:~#
...and on 192.168.64.1.
root at avits-backups:~# iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 4616 packets, 768K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 3101 packets, 469K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 1515 packets, 299K bytes)
pkts bytes target prot opt in out source destination
39 2200 TCPMSS tcp -- any any 192.168.64.0/18
192.168.0.0/18 tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 2957 packets, 498K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 4479 packets, 797K bytes)
pkts bytes target prot opt in out source destination
root at avits-backups:~#
Thanks!
Richard
--
Alberni Valley IT Services
-------------- next part --------------
A non-text attachment was scrubbed...
Name: richard.vcf
Type: text/x-vcard
Size: 277 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20150226/fdfb6446/attachment.vcf>
More information about the Users
mailing list