[Openswan Users] Tunnel up, some hosts work, others don't.

Simon Deziel simon at xelerance.com
Fri Feb 27 14:00:53 EST 2015


On 02/26/2015 01:56 PM, Richard Whittaker wrote:
> On 2015-02-26 10:41, Simon Deziel wrote:
>>
>> This looks like PMTU issue. I'd give "iptables --clamp-mss-to-pmtu" a
>> try.
>>> Would I set this on my end points, or on the servers I have acting as
>>> gateways?..
>> I'd say both.
> 
> I set it on the gateways and the server at 192.168.64.9, and no joy. The
> rules on the remote server aren't even being triggered.

The remote server being the source and/or destination of the
communication it only evaluates the INPUT and OUTPUT chains, not the
FORWARD one.

> The rules on the firewalls/gateways are being triggered, but it's still
> not resulting in anything.

On the gateways, the FORWARD chain is evaluated and that's why you see
hit counts > 0 there.

Typically, mangling the MSS of whatever enters/exits the tunnel should
be good enough. In other words, you shouldn't need to tweak iptables on
the end points, just the VPN gateways.

Simon



More information about the Users mailing list