[Openswan Users] Tunnel up, some hosts work, others don't.
simon at xelerance.com
Fri Feb 27 14:00:53 EST 2015
On 02/26/2015 01:56 PM, Richard Whittaker wrote:
> On 2015-02-26 10:41, Simon Deziel wrote:
>> This looks like PMTU issue. I'd give "iptables --clamp-mss-to-pmtu" a
>>> Would I set this on my end points, or on the servers I have acting as
>> I'd say both.
> I set it on the gateways and the server at 192.168.64.9, and no joy. The
> rules on the remote server aren't even being triggered.
The remote server being the source and/or destination of the
communication it only evaluates the INPUT and OUTPUT chains, not the
> The rules on the firewalls/gateways are being triggered, but it's still
> not resulting in anything.
On the gateways, the FORWARD chain is evaluated and that's why you see
hit counts > 0 there.
Typically, mangling the MSS of whatever enters/exits the tunnel should
be good enough. In other words, you shouldn't need to tweak iptables on
the end points, just the VPN gateways.
More information about the Users