[Openswan Users] Tunnel up, some hosts work, others don't.

Richard Whittaker richard at avits.ca
Thu Feb 26 13:56:08 EST 2015 

On 2015-02-26 10:41, Simon Deziel wrote:
>
> This looks like PMTU issue. I'd give "iptables --clamp-mss-to-pmtu" a
> try.
>> Would I set this on my end points, or on the servers I have acting as
>> gateways?..
> I'd say both.

I set it on the gateways and the server at 192.168.64.9, and no joy. The 
rules on the remote server aren't even being triggered.

root at db2:~# iptables -L -v
Chain INPUT (policy ACCEPT 126 packets, 14000 bytes)
  pkts bytes target     prot opt in     out     source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source destination
     0     0 TCPMSS     tcp  --  any    any     anywhere 
anywhere             tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 94 packets, 16657 bytes)
  pkts bytes target     prot opt in     out     source destination
root at db2:~# iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 371 packets, 37556 bytes)
  pkts bytes target     prot opt in     out     source destination

Chain INPUT (policy ACCEPT 371 packets, 37556 bytes)
  pkts bytes target     prot opt in     out     source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source destination
     0     0 TCPMSS     tcp  --  any    any     anywhere 
anywhere             tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 252 packets, 37902 bytes)
  pkts bytes target     prot opt in     out     source destination

Chain POSTROUTING (policy ACCEPT 252 packets, 37902 bytes)
  pkts bytes target     prot opt in     out     source destination
root at db2:~#

The rules on the firewalls/gateways are being triggered, but it's still 
not resulting in anything.

on 192.168.0.1....

root at valiant:~# iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 147K packets, 72M bytes)
  pkts bytes target     prot opt in     out     source destination

Chain INPUT (policy ACCEPT 10374 packets, 3353K bytes)
  pkts bytes target     prot opt in     out     source destination

Chain FORWARD (policy ACCEPT 137K packets, 68M bytes)
  pkts bytes target     prot opt in     out     source destination
    49  2800 TCPMSS     tcp  --  any    any     192.168.0.0/18 
192.168.64.0/18      tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 10535 packets, 3443K bytes)
  pkts bytes target     prot opt in     out     source destination

Chain POSTROUTING (policy ACCEPT 148K packets, 72M bytes)
  pkts bytes target     prot opt in     out     source destination
root at valiant:~#

...and on 192.168.64.1.

root at avits-backups:~# iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 4616 packets, 768K bytes)
  pkts bytes target     prot opt in     out     source destination

Chain INPUT (policy ACCEPT 3101 packets, 469K bytes)
  pkts bytes target     prot opt in     out     source destination

Chain FORWARD (policy ACCEPT 1515 packets, 299K bytes)
  pkts bytes target     prot opt in     out     source destination
    39  2200 TCPMSS     tcp  --  any    any     192.168.64.0/18 
192.168.0.0/18       tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 2957 packets, 498K bytes)
  pkts bytes target     prot opt in     out     source destination

Chain POSTROUTING (policy ACCEPT 4479 packets, 797K bytes)
  pkts bytes target     prot opt in     out     source destination
root at avits-backups:~#

Thanks!
Richard

-- 
Alberni Valley IT Services

-------------- next part --------------
A non-text attachment was scrubbed...
Name: richard.vcf
Type: text/x-vcard
Size: 277 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20150226/fdfb6446/attachment.vcf>

More information about the Users mailing list