[Openswan Users] Tunnel up, some hosts work, others don't.

Richard Whittaker richard at avits.ca
Mon Mar 2 00:42:33 EST 2015 

On 2015-02-27 11:11, Simon Deziel wrote:


> Now why is this side of the tunnel doesn't see the same MSS values? It
> looks like your source/destination IP criteria for the MSS mangling on
> the gateways could be at fault.

I had set a fixed MSS value on both ends of 1200. I have set them back 
to clamp-mss-to-pmtu on both ends, and source/destination are set to any.

This is the excerpt of iptables -t mangle -L -v

Chain FORWARD (policy ACCEPT 23872 packets, 5403K bytes)
  pkts bytes target     prot opt in     out     source destination
   875 51656 TCPMSS     tcp  --  any    any     anywhere 
anywhere             tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU


>
> Can you try to clamp the MSS to PMTU on all communication crossing the 2
> gateways? I'd expect this to result in the same MSS values to be
> observed on both ends of the tunnel.

The session as seen from 192.168.64.1 (The "far" end)

21:33:10.707748 IP 192.168.0.2.40299 > 192.168.64.9.22: Flags [S], seq 
1813730218, win 14600, options [mss 536,sackOK,TS val 496491098 ecr 
0,nop,wscale 7], length 0
21:33:10.708039 IP 192.168.64.9.22 > 192.168.0.2.40299: Flags [S.], seq 
192726195, ack 1813730219, win 12480, options [mss 1260,sackOK,TS val 
719417525 ecr 496491098,nop,wscale 3], length 0

....
and from the "near" end, 192.168.0.1.

21:33:10.694811 IP 192.168.0.2.40299 > 192.168.64.9.22: Flags [S], seq 
1813730218, win 14600, options [mss 1460,sackOK,TS val 496491098 ecr 
0,nop,wscale 7], length 0
21:33:10.720231 IP 192.168.64.9.22 > 192.168.0.2.40299: Flags [S.], seq 
192726195, ack 1813730219, win 12480, options [mss 470,sackOK,TS val 
719417525 ecr 496491098,nop,wscale 3], length 0

...and an SSH session from the same 192.168.0.2 host to 192.168.64.4 
(CentOS 5.9, Kernel 2.6), which works and produces a login prompt.

..."far" end..

21:34:53.532837 IP 192.168.0.2.40961 > 192.168.64.4.22: Flags [S], seq 
478146717, win 14600, options [mss 536,sackOK,TS val 496516805 ecr 
0,nop,wscale 7], length 0
21:34:53.533172 IP 192.168.64.4.22 > 192.168.0.2.40961: Flags [S.], seq 
463693580, ack 478146718, win 5792, options [mss 1460,sackOK,TS val 
3471804614 ecr 496516805,nop,wscale 7], length 0

..."near" end..

21:34:53.522181 IP 192.168.0.2.40961 > 192.168.64.4.22: Flags [S], seq 
478146717, win 14600, options [mss 1460,sackOK,TS val 496516805 ecr 
0,nop,wscale 7], length 0
21:34:53.539475 IP 192.168.64.4.22 > 192.168.0.2.40961: Flags [S.], seq 
463693580, ack 478146718, win 5792, options [mss 470,sackOK,TS val 
3471804614 ecr 496516805,nop,wscale 7], length 0

Really stumped. :/

Regards,
Richard.


-- 
Alberni Valley IT Services

-------------- next part --------------
A non-text attachment was scrubbed...
Name: richard.vcf
Type: text/x-vcard
Size: 277 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20150301/2502f672/attachment.vcf>

More information about the Users mailing list